httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Douglas E. Engert" <>
Subject Missing concept in Authentication and Authorization?
Date Mon, 28 Jun 2004 20:49:16 GMT

I have recently started to look how Authentication and Authorization
in done in Apache, and have looked over Justin Erenkrantz's slides 
for "Authentication in Apache HTTP Server 2.1" and have been in touch
with some of the mod_auth_kerb developers. My apologies if this
is already being addressed, but it does not appear so. 

There appears to be a missing component in the AAA design, i.e. how 
to map the authentication user identity into the identity to be used 
for authorization. Multiple authentication identities may map to
the same authorization identity. 

The case we are trying to address is that we would like to
accept SSL client certificates, SPNEGO with Kerberos or Kerberos 
user/passwords for authentication. We would then like to use 
an LDAP database to determine if the authenticated user is acceptable
based on being in the LDAP and a member of selected groups.

With the client certificate the authentication identity is
derived from the subject name and issuer name. With Kerberos the 
authentication identity is user@realm. The same user might have both
a certificate and Kerberos principal. In fact we are moving towards
the use of KX509/KCA from the University of Michigan and away from
users ever sending passwords. The KCA issues short term certificates 
to a user if the can authenticate with Kerberos to the KCA.    

We want to use Windows AD as the LDAP authorization data base. To do 
this we need to use the certificate subject name to map to a DN in 
ldap, and/or use the Kerberos principal name (userPrincipalName in AD) 
to map to a DN in ldap. We can then use mod_auth_ldap to check if the 
DN is a member of a group in AD. 

(Needless to say the use of local database on the web server such as 
used by SSL FakeBasicAuth are not acceptable.)  

One way to get the mapping is to use the util_ldap_cache_checkuserid
but don't have it check a password. This function is really doing
two functions: authentication and mapping. They should be separated.
We currently have a mod in util_ldap.c to do this, with a change to 
util_ldap.h as well.  

As I am new to Apache, but not to authentication, I am hoping to
see if any of these ideas are being addressed in upcoming versions. 



 Douglas E. Engert  <>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444

View raw message