httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Eric Covener <cove...@gmail.com>
Subject Re: X.509 client certificates and LDAP authorization
Date Tue, 08 Sep 2009 14:17:09 GMT
On Tue, Sep 8, 2009 at 10:09 AM, Udo Rader<listudo@bestsolution.at> wrote:
> Graham Leggett wrote:
>>
>  SSLOptions +FakeBasicAuth
>  AuthName "Snake Oil Authentication"
>  AuthType Basic
>  AuthBasicProvider ldap
>  AuthLDAPRemoteUserAttribute uid
>
>  AuthLDAPURL ldap://127.0.0.1/dc=example,dc=com?subjectDN?one
>  require valid-user
> </Location>
>
> For obvious reasons, authentication fails, because mod_ssl sends "password"
> as the password for any "faked" basic auth user to the underlying
> authentication mod_authzn_ldap module, see the "FakeBasicAuth" section here
> [1].
>
> And of course, it is impossible to set "password" as password for everyone
> in the LDAP DIT.
>
> What we basically "needed" was our clients authenticate using their
> certificates and then have mod_authnz_ldap fetch their user names (uid)
> based on the certificates' subjects (or similar).

I never understood how FakeBasic was usable, but nevertheless you
don't want "AuthBasicProvider LDAP" in this case.  This is the bit
that's asking LDAP to check the users password -- you just want the
authorization directives.

-- 
Eric Covener
covener@gmail.com

Mime
View raw message