Re: [squid-users] empty basic/digest realm

From: Henrik Nordström <henrik_at_henriknordstrom.net>
Date: Thu, 01 Jul 2010 22:27:09 +0200

The normal digest ldap helper in plain text passord mode expects just the plain text password in ldap, without realm.

If you store H(A1) value then it`s always realm specific. And to my knowledge there is no basic auth helper capable of verifying to a H(A1) value but technically it can be done regardless of what realm were used in the H(A1).

If you use some other helper which expects realm:password or realm:H(A1) then it would most likely expect :H(A1) and not H(A1) if realm is empty.

Keep in mind that Digest A1 value is login:realm:password. And H is HEX MD5 which makes H(A1) == HEX(MD5(login ":" realm ":" password))

So i still do not quite umderstand what yo want to accomplish with an empty realm.

Regards
Henrik

----- Ursprungsmeddelande -----
> Sorry for my late reply, Henrik. I want to be able to use an empty
> realm because we use Digest Auth in conjunction with an LDAP backend.
> In this LDAP backend the admin can specifiy combinations of
> <realm>:<password> or <realm>:<H(A1)>. The empty realm would thus lead
> to either <password> or <H(A1)> standing by themselves. We want to
> support this latter case as well and the empty realm would make that a
> lot easier.
>
> Regards,
> Khaled
>
> 2010/6/22 Henrik Nordström <henrik_at_henriknordstrom.net>:
> > tis 2010-06-22 klockan 00:22 +0200 skrev Khaled Blah:
> > > That's not completely true. RFC 2617 states that the realm of either
> > > digest/basic auth is a quoted string but it doesn't say that this
> > > string has to be a minimum number of characters.
> >
> > True, but is clearly not the intention that this should be empty.
> >
> > I asked why you want to use an empty realm.
> >
> > Regards
> > Henrik
> >
> >
Received on Thu Jul 01 2010 - 20:27:17 MDT

This archive was generated by hypermail 2.2.0 : Tue Jul 06 2010 - 12:00:02 MDT