On Thursday 26 June 2008 12:32:04 Michael Ströder wrote:Bear in mind that in a single password environmemt proxy authentication (like with Squid) is somewhat a security risk anyway since the password is transferred in clear over the wire to the proxy for each HTTP hit going through the proxy.
Unfortunately, however, it does not seem that there is any secure proxy authentication scheme for an entirely Unix environment (Mozilla on Unix as the client, Squid on Unix as the proxy server), even with Kerberos infrastructure in place.
I have also started discussions with some web application frameworks (e.g. Catalyst).I'd rather recommend to use a decent WebSSO system and integrate web servers/applications with that central authentication component because when using centralized passwords you don't want to transmit the password to every integrated system. Rather in a SSO system system see only short-time tickets. I'm successfully using CAS for that in one customer project. It works pretty well and the developers are very responsive.
Indeed, but if you have existing applications on an existing framework that has LDAP support (we use SSL end-to-end), then it should have support for expiring passwords.
Migrating to an SSO system would be an option, but I have many more features which have higher priority ...
Your mileage may vary...
In this specific case, there are also advantages to the application having access to the clear-text password (as it can then be used with the logged-in users credentials to perform operations on other devices which authenticate against the same system, but have no SSO support).
Yes, web2ldap is working like that.
Either people should stop shipping web server authentication modules for LDAP, or they should have password policy support.
Ciao, Michael.