httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Müller Johannes <Johannes.Muel...@eon-is.com>
Subject Re: Client authorization against LDAP using client certificates
Date Fri, 04 Jul 2008 09:43:23 GMT
Well, this would require quite big changes to all authentication modules, i guess.
I think, the better way would be to skip authentication completely in mod_auth_basic in case
the user is set in the request object, because the user is already authenticated somehow through
mod_ssl.


-----Ursprüngliche Nachricht-----
Von: Graham Leggett [mailto:minfrin@sharp.fm] 
Gesendet: Freitag, 4. Juli 2008 11:14
An: dev@httpd.apache.org
Betreff: Re: Client authorization against LDAP using client certificates

Müller Johannes wrote:

> we want to use client authorization against LDAP using client certificates on Apache
webserver 2.2.
> Unfortunately this is not possible with Apache webserver at the current state of development.
> There have been third party modules (ModXAuthLDAP, mod_authz_ldap) in the past which
did this task quite well.
> But they haven't been updated for years and therefore do not work with httpd newer than
2.0.
> Therefore my company has put some effort in developing a reasonable solution for its
needs.

I think the thing that is missing is that the FakeBasicAuth option 
within mod_ssl should flag the request to say that a password isn't 
necessary.

mod_authnz_ldap (and others) should then be taught to recognise this 
flag within the request, and not test the password if this is the case.

Regards,
Graham
--


Mime
View raw message