1) The AuthnProviderAlias supports AuthBasicProvider of mod_auth_basic module for authentication with "ldap". Reference: https://httpd.apache.org/docs/2.4/mod/mod_authn_core.html WhereAs, AuthnProviderAlias does not supports AuthDigestProvider of mod_auth_digest module for authentication with "ldap". The below configuration does not work with AuthDigestProvider for "ldap": # Basic Authentication provider <AuthnProviderAlias ldap MyEnterpriseLdap> AuthLDAPURL "ldap://machine1.abcd.com:389/CN=Users,DC=abcd,DC=com?sAMAccountName?sub?(objectClass=*)" AuthLDAPBindDN "CN=rohit,CN=Users,DC=abcd,DC=com" AuthLDAPBindPassword "abc123" LDAPReferrals Off </AuthnProviderAlias> # Authenticated resources <LocationMatch ^/+WebApp/+(;.*)?> AuthName "WebApp" AuthType Basic AuthBasicProvider MyEnterpriseLdap Require valid-user </LocationMatch> 2) Moreover, are there any plans to implement "auth-int" for AuthDigestQop Directive https://httpd.apache.org/docs/2.4/mod/mod_auth_digest.html#page-header 3) There will be an blocking issue in second half of calendar year 2020, When Microsoft addresses CVE-2017-8563 (https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8563) a set of unsafe default configurations for LDAP channel binding and LDAP signing which exist on Active Directory domain controllers that let LDAP clients communicate with them without enforcing LDAP channel binding and LDAP signing. Thus the LDAP simple binds now needs to be converted into SASL like DIGEST-MD5 and add a support for signing through qop as a "auth-int". Can someone please have a look into the issue? This will cause all LDAP applications which uses AuthType as "Basic" to move to port 636 and switch to SSL/TLS. However, When SASL(DIGEST-MD5) with signing(auth-int) is used, LDAP Clients that do enable or support signing can connect over port 389. Thanks, --Rohit
The below configuration does not work with AuthDigestProvider for "ldap": # Basic Authentication provider <AuthnProviderAlias ldap MyEnterpriseLdap> AuthLDAPURL "ldap://machine1.abcd.com:389/CN=Users,DC=abcd,DC=com?sAMAccountName?sub?(objectClass=*)" AuthLDAPBindDN "CN=rohit,CN=Users,DC=abcd,DC=com" AuthLDAPBindPassword "abc123" LDAPReferrals Off </AuthnProviderAlias> # Authenticated resources <LocationMatch ^/+WebApp/+(;.*)?> AuthName "WebApp" AuthType Basic AuthBasicProvider MyEnterpriseLdap Require valid-user </LocationMatch>
Created attachment 37668 [details] SPAM