Re: LDAP Apache authorization - presupplying user & password ?

[kunkee@neosoft.com (Randy Kunkee)]

> 
> Hi,
> 
> Not sure this is an LDAP or an Apache question, but I'll try here first.
> 
> I'm using the auth_ldap module to restrict access to an area on my
> Apache server according to my LDAP database.
> 
> Is there a way to get through the authorization by supplying the
> username and password in anticipation of the authorization challenge? I
> want to have a login page which captures username and password which it
> uses to authenticate access, and if successful, serve up a page inside
> the restricted area. I could just use the pop-up window that the browser
> supplys but AFAIK you can't then obtain the password string the user
> supplied. I kinda need both because the page to access is an 'update
> profile' page which I want to bind as the user, thereby restricting
> writeable attributes. Otherwise I would need to have the update page
> always bind as some write capable servant account, in which case there's
> no point having attributes writeable by self ? Or as a kludge, get the
> user to supply password again for a profile update (a bit tedious!).
> 
> sorry if this is barely on topic.
> 
> 
> Tim Fulcher

You are right, it is barely on topic! :-)

The way the authentication works in Apache (and due how HTTP handles
authenticaion) makes it difficult to do what you want to do.  Indeed
your easiest answer is to have them enter the password via the pop-up
dialog, then have them enter it again when they want to update.
This may seem tedious, but it is actually wise because you never know
how long that browser has been sitting there, or who might be typing.

It would be possible to do what you want, but it would require hacking
the internals of Apache to make that password available.  There is a
tcl_auth routine which could be reprogrammed (via Tcl) to make the password
available to other Tcl code, which can use a Tcl LDAP extension to modify
the LDAP database.

Randy