httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Udo Rader <list...@bestsolution.at>
Subject Re: X.509 client certificates and LDAP authorization
Date Tue, 08 Sep 2009 14:09:36 GMT
Graham Leggett wrote:
> Udo Rader wrote:
> 
>> I am just trying to set up a X.509 client certificates + LDAP based
>> authorizaton system.
>>
>> I've setup all pieces best to my knowledge (mod_ssl, mod_auth_basic,
>> mod_auth_ldap), but I am still having problems to connect to our LDAP
>> server because "SSLOption FakeBasicAuth" still explicically requires
>> "password" as password for each user in order to successfully
>> authenticate against mod_auth_ldap.
> 
> Authenticate or authorise?
> 
> Are you trying to authenticate the user using SSL certs, and then
> authorise the user using LDAP? Or do you want users to be authenticated
> both by SSL client certs and by LDAP?
> 
> Authenticate: is the user who the user says they are?
> Authorise: is the user allowed to access the resource?

Thanks for the clarification, I am quite aware of that :-)

Maybe a more concrete sample can help clarify what I am talking about, 
here's my approximate setup:

<Location /fooBar>
   SSLVerifyClient require
   SSLRequireSSL

   SSLOptions +FakeBasicAuth
   AuthName "Snake Oil Authentication"
   AuthType Basic
   AuthBasicProvider ldap
   AuthLDAPRemoteUserAttribute uid

   AuthLDAPURL ldap://127.0.0.1/dc=example,dc=com?subjectDN?one
   require valid-user
</Location>

For obvious reasons, authentication fails, because mod_ssl sends 
"password" as the password for any "faked" basic auth user to the 
underlying authentication mod_authzn_ldap module, see the 
"FakeBasicAuth" section here [1].

And of course, it is impossible to set "password" as password for 
everyone in the LDAP DIT.

What we basically "needed" was our clients authenticate using their 
certificates and then have mod_authnz_ldap fetch their user names (uid) 
based on the certificates' subjects (or similar).

But both the problem and possible solution scenarios were excellently 
described in the OP about one year ago, see [2].

There are other, third party modules dealing with this problem, e.g 
mod_authz_ldap [3] but I want to circumvent them if possible.


[1] http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#ssloptions
[2] http://phpot.bestsolution.at/nanourl/bbsy2
[3] http://authzldap.othello.ch/

-- 
Udo Rader, CTO
http://www.bestsolution.at
http://riaschissl.blogspot.com

Mime
View raw message