Return-Path: Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: (qmail 76553 invoked from network); 7 Sep 2009 10:43:19 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 7 Sep 2009 10:43:19 -0000 Received: (qmail 22366 invoked by uid 500); 7 Sep 2009 10:43:18 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 22283 invoked by uid 500); 7 Sep 2009 10:43:18 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 22274 invoked by uid 99); 7 Sep 2009 10:43:17 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 07 Sep 2009 10:43:17 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of listudo@bestsolution.at designates 81.16.98.99 as permitted sender) Received: from [81.16.98.99] (HELO mail.bestsolution.at) (81.16.98.99) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 07 Sep 2009 10:43:05 +0000 Received: from localhost (ogmios.bestsolution.at [81.16.98.100]) by mail.bestsolution.at (Postfix) with ESMTP id BC9D1BC0551 for ; Mon, 7 Sep 2009 12:42:44 +0200 (CEST) X-Virus-Scanned: BestSolution.at amavisd-new at bestsolution.at Received: from mail.bestsolution.at ([81.16.98.97]) by localhost (ogmios.bestsolution.at [81.16.98.100]) (amavisd-new, port 10026) with LMTP id YB8069zB8XYU for ; Mon, 7 Sep 2009 12:42:39 +0200 (CEST) Received: from [172.20.10.153] (heimdall.bestsolution.at [81.16.98.98]) by mail.bestsolution.at (Postfix) with ESMTPSA id 23F06BC0599 for ; Mon, 7 Sep 2009 12:42:39 +0200 (CEST) Message-ID: <4AA4E39E.2090604@bestsolution.at> Date: Mon, 07 Sep 2009 12:42:38 +0200 From: Udo Rader Organization: BestSolution.at EDV Systemhaus GmbH User-Agent: Thunderbird 2.0.0.23 (X11/20090830) MIME-Version: 1.0 To: dev@httpd.apache.org Subject: X.509 client certificates and LDAP authorization Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Virus-Checked: Checked by ClamAV on apache.org Hi, I am just trying to set up a X.509 client certificates + LDAP based authorizaton system. I've setup all pieces best to my knowledge (mod_ssl, mod_auth_basic, mod_auth_ldap), but I am still having problems to connect to our LDAP server because "SSLOption FakeBasicAuth" still explicically requires "password" as password for each user in order to successfully authenticate against mod_auth_ldap. Almost one year ago, someone has already asked the same question [1] but I am not sure if any progress has been made. The problem is described quite well in the OP: --------CUT-------- The client connects using SSL and a client certificate. Mod_ssl receives the request and checks the validity of the certificate using CRLs. After that it sets the user field in the Apache request object to the cn of the certificate (SSLUserName SSL_CLIENT_S_DN_CN). Afterwards mod_auth_basic tries to authenticate the user against its configured provider, wich is LDAP in our case. This fails, because there is no password coming from the certificate, which is quite obvious. As you can see the missing password in the authentication phase is our main problem. We tried to use SSLOptions +FakeBasicAuth, but then we would have to set “password” as password for all users in our directory. This is definitely no solution. --------CUT-------- So has anything changed/improved in the meantime? Thanks in advance :-) [1] http://phpot.bestsolution.at/nanourl/bbsy2 -- Udo Rader, CTO http://www.bestsolution.at http://riaschissl.blogspot.com