httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 45325] New: sslusername not usable by other modules
Date Wed, 02 Jul 2008 09:27:37 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=45325

           Summary: sslusername not usable by other modules
           Product: Apache httpd-2
           Version: 2.2.9
          Platform: Other
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_auth
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: mdnteo@gmail.com


I'm working with mod_authnz_ldap, mod_ssl authenticating with certificates and
I've got some questions. This is my situation (some directives are omitted)

------------------------------------------------------------------------------------------------
SSLVerifyClient require
SSLOptions +ExportCertData +StdEnvVars +StrictRequire +FakeBasicAuth

<Location /private>
        SSLRequireSSL
        AuthType basic
        AuthName "private area"
        AuthzLDAPAuthoritative off
        AuthBasicProvider       ldap
        AuthLDAPBindDN          uid=myuser,dc=example,dc=com
        AuthLDAPBindPassword    mypassword
        AuthLDAPUrl            
"ldap://myldaphost:389/ou=users,dc=example,dc=com?subjectDN?sub?(objectclass=*)"
        Require ldap-attribute employeeType=active
</Location>
------------------------------------------------------------------------------------------------

This configuration is working, the user in found in LDAP searching for his
"subjectDN", as set by the option "+FakeBasicAuth", but I want to make the LDAP
SEARCH not with the subjectDN, but other fields of the certificate. As
described in the documentation, I can do it with "SSLUSERNAME"

If I use these options:
------------------------------------------------------------------------------------------------
SSLVerifyClient require
SSLUserName SSL_CLIENT_S_DN_CN 
SSLOptions +ExportCertData +StdEnvVars +StrictRequire -FakeBasicAuth

<Location /private>
        SSLRequireSSL
        AuthType basic
        AuthName "private area"
        AuthzLDAPAuthoritative off
        AuthBasicProvider       ldap
        AuthLDAPBindDN          uid=myuser,dc=example,dc=com
        AuthLDAPBindPassword    mypassword
        AuthLDAPUrl            
"ldap://myldaphost:389/ou=users,dc=example,dc=com?cn?sub?(objectclass=*)"
        Require ldap-attribute employeeType=active
</Location>
------------------------------------------------------------------------------------------------

The mod_ssl does his work, as in my log files I see the "CN" as "%u", but as
soon as I call "/private", the "%u" becomes an empty variable and I can't use
it in the next authentication module. The mod_authnz_ldap does a ldap query (I
check it in my ldap logs) with an empty CN, or any other parameter I try to set
(usercertificate, email...)


-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message