httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Graham Leggett <minf...@sharp.fm>
Subject Re: X.509 client certificates and LDAP authorization
Date Tue, 08 Sep 2009 15:09:03 GMT
Udo Rader wrote:

> Maybe a more concrete sample can help clarify what I am talking about,
> here's my approximate setup:
> 
> <Location /fooBar>
>   SSLVerifyClient require
>   SSLRequireSSL
> 
>   SSLOptions +FakeBasicAuth
>   AuthName "Snake Oil Authentication"
>   AuthType Basic
>   AuthBasicProvider ldap
>   AuthLDAPRemoteUserAttribute uid
> 
>   AuthLDAPURL ldap://127.0.0.1/dc=example,dc=com?subjectDN?one
>   require valid-user
> </Location>

Right, so you're trying to authenticate twice, first using certs, then
using LDAP, and you're not trying to authorise at all ("require
valid-user").

That it doesn't do (yet), but shouldn't be hard to implement. mod_ssl
needs to signal that the user has been successfully authenticated using
a cert, and mod_authnz_ldap needs to respond to the signal that the user
has been successfully authenticated using a cert, and skip the password
check if so.

Regards,
Graham
--

Mime
View raw message