httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Müller Johannes <Johannes.Muel...@eon-is.com>
Subject Client authorization against LDAP using client certificates
Date Fri, 04 Jul 2008 06:21:12 GMT
Hello,

we want to use client authorization against LDAP using client certificates on Apache webserver
2.2.
Unfortunately this is not possible with Apache webserver at the current state of development.
There have been third party modules (ModXAuthLDAP, mod_authz_ldap) in the past which did this
task quite well.
But they haven’t been updated for years and therefore do not work with httpd newer than
2.0.
Therefore my company has put some effort in developing a reasonable solution for its needs.

Firstly let me describe why it is not possible for us to do this form of authorization with
a default httpd.

The client connects using SSL and a client certificate. Mod_ssl receives the request and checks
the validity of the certificate using CRLs. After that it sets the user field in the Apache
request object to the cn of the certificate (SSLUserName SSL_CLIENT_S_DN_CN). Afterwards mod_auth_basic
tries to authenticate the user against its configured provider, wich is LDAP in our case.
This fails, because there is no password coming from the certificate, which is quite obvious.

As you can see the missing password in the authentication phase is our main problem.
We tried to use SSLOptions +FakeBasicAuth, but then we would have to set “password” as
password for all users in our directory. This is definitely no solution.

Another solution we thought of was to just set the require directives, but the hook seems
to never get called, because of the missing AuthType directive.

We have developed the following possible solutions, which involve changes to the apache source
code.
I’d be interested in comments and my company would appreciate it, if a solution could be
included in apache. I could also provide a patch.

Solution 1
Description
* Add a boolean directive AuthBasicUserFromCert to mod_auth_basic
* This should tell mod_auth_basic not to run the configured authentication provider if a remote
user is set by mod_ssl
* If no user is set (client does not provide certificate), basic authentication is done
Implementation
* Register directive in mod_auth_basic.c
* Add branch in authentication function to return AUTH_GRANTED if directive and user is set
* Remove call to ap_note_auth_basic_failure() in mod_authnz_ldap.c to avoid password dialog
although we have a certificate if authorization fails
Pros and cons
+ Fallback to basic authentication done easy
+ Does not conflict with AAA-model
+ No duplicate code as we don't have to duplicate basic auth functionality (compare solution
3)
- mod_authnz_ldap has to be modified, too. Maybe this is not needed in Apache 2.3/2.4, because
the call has been removed. 


Solution 2
Description
* Create new module mod_auth_cert which has to be hooked previous to mod_auth_basic
* This new module runs if AuthType is set to „Cert“ checks for the remote user to be set
* In case the user is set by mod_ssl, return OK
* Else fall back to basic authentication by calling mod_auth_basic somehow
* This can possibly be achieved by rewriting AuthType on the fly
Implementation
* Copy mod_auth_basic.c
* Rename to mod_auth_cert
* Remove needless code
* Register in hook previous to mod_auth_basic.c
* In case the user is set by mod_ssl, return OK
* Else change r→auth_type to „Basic“ ?? Did not work in tests!
Pros and cons
+ Very clean concerning the AAA-model, because mod_auth_basic has nothing to do with certificates
in principle
+ No duplicate code as we don't have to duplicate basic auth functionality (compare solution
3)
- Dirty solution concerning rewriting the AuthType directive on the fly
- More difficult to implement
- Maybe impossible 


Solution 3
Description
* Duplicate mod_auth_basic
* Call it mod_auth_cert
* Add new directives AuthType „Cert“ and AuthCertProvider
* If remote user is set by mod_ssl do not run authentication provider and return OK
* Else du basic authentication using the provider
Implementation
* Copy mod_auth_basic.c
* Rename to mod_auth_cert.c
* Rename directives
* Add branch in authentication function to return AUTH_GRANTED if directive and user is set
* Remove call to ap_note_auth_basic_failure() in mod_authnz_ldap.c to avoid password dialog
although we have a certificate if authorization fails
Pros and cons
+ Fallback to basic authentication done easy
+ Very clean concerning the AAA-model, because mod_auth_basic has nothing to do with certificates
in principle
- Otherwise dirty, because mod_auth_cert should have nothing to do with basic authentication,
either
- mod_authnz_ldap has to be modified, too. Maybe this is not needed in Apache 2.3/2.4, because
the call has been removed.
- Duplicate code 


Freundliche Grüße/Kind regards
Johannes Müller

I/TS1A-G - Web Infrastructure
T +49 8 9-12 54 57 92
johannes.mueller@eon-is.com 

E.ON IS GmbH
Blutenburgstraße 18
80636 München
www.eon-is.com

Vorsitzender des Aufsichtsrats/Chairman of the Supervisory Board:
Dr. Marcus Schenck   Geschäftsführung/Managing Directors:
Werner Hecker (Vorsitzender/Chairman)   Jörg Becker   Damian
Bunyan   Dr. Kai Pfitzner   Dr. Jörg Zunft   E.ON IS GmbH
Sitz/Registered Office Hannover   Amtsgericht/District Court
Hannover HRB 57814

Mime
View raw message