Re: Digest authentication with LDAP backend

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Mon, 21 Mar 2005 21:42:24 +0100 (CET)

On Thu, 17 Mar 2005, Guilherme Buonfiglio de Castro Monteiro wrote:

> Hi,
>
> I'm developing a perl digest authentication program that uses LDAP as
> backend.
> It's near completion but I'm needing help with HHA1 return to Squid.
> First I will explain what I'm doing:
> 1) I'm creating a new Ldap ObjectClass that has uid/digestInfo/ha1
> 2) digestInfo is join(":",$username,$realm)
> ha1 is md5_hex( join(":",$username,$realm,$password));
> 3) So for username:realm:password I have
> digestInfo=username:realm
> ha1=66999343281b2624585fd58cc9d36dfc
> 4) My program should receive "a line containing "username":"realm" and
> replies with the appropriate H(A1) value base64 encoded or ERR if the user
> (or his H(A1) hash) does not exists." (this was extracted from squid.conf for
> auth_param digest).
> Actually it's receiving it. :-)
> 5) Then I issue a ldapsearch (digestInfo=".$digestInfo") and read the
> attribute ha1
> 6) Then I return $hha1 = encode_base64($ha1); I know that I'm missing the
> point at this moment!!!

You need to print the result.

> I know ha1 is correct. I've already compared with results from apache
> htdigest program. But what Squid want's is not the encode_base64($ha1).

Squid wants the exact same format as Apache htdigest creates in the hash
column.

The digest_pwauth helper is a good reference as for how your helper should
operate. By using this as reference you can easily verify that your helper
is working correctly, as both should return the exact same output given
the same user data (login , realm , password, input where appropriately)

Regards
Henrik
Received on Mon Mar 21 2005 - 13:44:32 MST

This archive was generated by hypermail pre-2.1.9 : Fri Apr 01 2005 - 12:00:04 MST