I once spent some time thinking about this.
I think you'd have to implement some sort of magic extended operation on the LDAP server so that it would, given a user, realm, snonce, and cnonce, return to you the hash of all the above with the user's password. That hash could then be strcmp'd with the hash that the client sends at the apache authentication plugin. It wouldn't be impossible, but it isn't in there right now, and might have security implications.
I've also thought about implementing a middle-man apache plugin that would go back to the LDAP server with a bind request for the webuser coming in, the ldap server will give you an snonce and a realm, which you would forward on to the browser, the browser would select a cnonce and perform the hashing, sending in a big ole' hash. The apache plugin would then have to forward that hash (along with the cnonce, the snonce, and the realm) in the bind request to the LDAP server. The LDAP server would then do the bind and respond appropriately. (Slow.....)
It's been awhile since I've played with implementation details of Digest Auth, but the SASL and HTTP digest schemes are almost identical. Of course, Digest Auth is _rarely_ used, IE is the only client that I know of, and I think it implements the older Digest RFC rather than RFC2069 (but I might be wrong).
Either way you slice it, it isn't very easy, and client support for DigestAuth is terrible. Good Luck.
From: Laxmi Thota [mailto:firstname.lastname@example.org]
Sent: Friday, November 30, 2001 8:57 AM
Subject: Can HTTP DIGEST authentication be implemented via using
I need to implement HTTP DIGEST authentication. I would like to know, if
it is possible to use
LDAP-SASL-DIGEST-MD5 to implement it. Has anyone tried this before..
Is there a way to pass "digest-uri" through ldap_sasl_bind_s (variations of
If this is not possible, can anyone suggest alternatives ?
Thanks in advance,