httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Udo Rader <>
Subject X.509 client certificates and LDAP authorization
Date Mon, 07 Sep 2009 10:42:38 GMT

I am just trying to set up a X.509 client certificates + LDAP based 
authorizaton system.

I've setup all pieces best to my knowledge (mod_ssl, mod_auth_basic, 
mod_auth_ldap), but I am still having problems to connect to our LDAP 
server because "SSLOption FakeBasicAuth" still explicically requires 
"password" as password for each user in order to successfully 
authenticate against mod_auth_ldap.

Almost one year ago, someone has already asked the same question [1] but 
I am not sure if any progress has been made.

The problem is described quite well in the OP:

The client connects using SSL and a client certificate. Mod_ssl receives 
the request and checks the validity of the certificate using CRLs. After 
that it sets the user field in the Apache request object to the cn of 
the certificate (SSLUserName SSL_CLIENT_S_DN_CN). Afterwards 
mod_auth_basic tries to authenticate the user against its configured 
provider, wich is LDAP in our case. This fails, because there is no 
password coming from the certificate, which is quite obvious.

As you can see the missing password in the authentication phase is our 
main problem. We tried to use SSLOptions +FakeBasicAuth, but then we 
would have to set “password” as password for all users in our directory. 
This is definitely no solution.

So has anything changed/improved in the meantime?

Thanks in advance :-)


Udo Rader, CTO

View raw message