Hello,
The following patch against trunk adds a directive "AuthBasicUserFromSSL" (On/Off) to mod_auth_basic.
Setting this to "On" would skip authentication if r->user is set by mod_ssl.
This is needed when using client certificates for authentication, because in this case you
don't get any password from the user, which you can use to authenticate.
Well, there is FakeBasicAuth, but setting the password to "password" for every user in a directory
is definitely no solution.
Would be nice if we could include this in 2.2.x too. The affected code is basically similar.
See also discussion at http://mail-archives.apache.org/mod_mbox/httpd-dev/200807.mbox/%3C2DA2D25922A8EF48B9357D19AE7E0CE4075E394D@SME0011.o.eon-energie.net%3E
Configuration may look like this:
<Location /secret_area>
SSLUserName SSL_CLIENT_S_DN_CN
SSLVerifyClient require
AuthType Basic
AuthName "Test"
AuthBasicUserFromSSL On
AuthBasicProvider ldap
AuthLDAPUrl ldap://myldapserver.company.com:389/ou=Users,o=COMPANY,c=COM?uid?sub
AuthLDAPBindDN cn=myUser,ou=users,o=COMPANY,c=COM
AuthLDAPBindPassword myPassword
require ldap-group cn=mygroup,ou=Groups,o=COMPANY,c=COM
</Location>
Greetings,
Johannes Müller
|