Digest Authentication

Proxy Server can be configured to perform Digest authentication using either an LDAP-based or a file-based directory service.

Digest authentication allows users to authenticate based on user name and password without sending the user name and password as clear text. The browser uses the MD5 algorithm to create a digest value using the users password and some information provided by the Proxy Server.

When the server uses an LDAP-based directory service to perform Digest authentication, this digest value is also computed on the server side using the Digest authentication plug-in, and compared against the digest value provided by the client. If the digest values match, the user is authenticated. For this to work, your directory server must have access to the user’s password in clear text. Oracle Directory Server Enterprise Edition includes a reversible password plug-in using a symmetric encryption algorithm to store data in an encrypted form that can later be decrypted to its original form. Only Directory Server holds the key to the data.

For LDAP-based Digest authentication, you must enable the reversible password plug-in and the Digest authentication-specific plug-in included with Proxy Server. To configure your Proxy Server to process Digest authentication, set the digestauth property of the database definition in the dbswitch.conf file, found in server-root/userdb/.

Here is a sample dbswitch.conf file.

directory default ldap://<host_name>:<port>
default:binddn cn=Directory Manager
default:encoded bindpw ***********
default:digestauth on

or

directory default ldap://<host_name>:<port>/
default:binddn cn=Directory Manager
default:encoded bindpw ***********
default:digestauthstate on

The server tries to authenticate against the LDAP database based upon the ACL method specified, as shown in Digest Authentication. If you do not specify an ACL method, the server uses either Digest or Basic when authentication is required, or Basic if authentication is not required.

The following table lists Digest authentication that is and is not supported by the authentication database.

When processing an ACL with method=digest, the server attempts to authenticate by performing the following actions:

• Checking for the Authorization request header. If the header is not found, a 401 response is generated with a Digest challenge, and the process stops.

• Checking for the Authorization type. If the Authentication type is Digest, the server then performs the following actions:

  • Checks nonce. If the nonce is not a valid, fresh nonce generated by this server, a 401 response is generated, and the process stops. If the nonce is stale, a 401 response is generated with stale=true, and the process stops.

    The time the nonce remains fresh can be configured by changing the value of the parameter DigestStaleTimeout in the magnus.conf file, located in server-root/proxy-server_name/config/. To set the value, add the following line to magnus.conf:

    DigestStaleTimeout seconds

    where seconds represents the number of seconds the nonce remains fresh. After the specified seconds elapse, the nonce expires and new authentication is required from the user.

  • Checks the realm. If the realm does not match, a 401 response is generated, and the process stops.

  • Checks the existence of the user in the LDAP directory if the authentication directory is LDAP-based, or checks existence of the user in the file database if the authentication directory is file-based. If the user is not found, a 401 response is generated, and the process stops.

  • Gets the request-digest value from the directory server or file database and checks for a match to the client’s request-digest. If no match is found, a 401 response is generated, and the process stops.

  • Constructs the Authorization-Info header and inserts this header into server headers.