httpd-modules-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Thomas, Peter" <>
Subject Improved AuthType Certificate provider [enhancement #48780]
Date Tue, 06 Apr 2010 23:51:56 GMT
As promised in my note last week, I've created an updated patch attached
to my suggested feature in .

This patch works in my integration environment, tested with all Require
ldap-* directives.  


1) When using certificates we can often expect that the DN of the user
matches the subject DN of the certificate.  For that reason I made a
slight overloading of AuthLDAPRemoteUserIsDN.  This new behavior is only
active in the proposed patch if AuthType is Certificate and
AuthLDAPRemoteUserIsDN is on. In those circumstances, LDAP authn will do
an LDAP_SCOPE_BASE search for the user at the DN specified in the
certificate.  I updated the corresponding authz methods to make sure
that we are always searching for the user's DN in a consistent way.
When the special circumstances do not apply, you continue using the
first attribute in the LDAP URL's attribute list compared with the
username to find the user [the legacy behavior].

2) I updated ssl_engine_vars.c in mod_ssl.  The current SSL_CLIENT_S_DN
uses  X509_NAME_oneline(xsname, NULL, 0) which is a) deprecated and b)
not in an LDAP-friendly (RFC2253-compliant) form.  I updated the code to
use X509_NAME_print_ex(bio, xsname, 0, XN_FLAG_RFC2253).

Since the vast majority of the use of SSL_CLIENT_S_DN is cosmetic
[logging, etc.] I don't foresee this causing a substantial problem.
That said, if someone wants to take a stab at making this configurable
before we move forward, I'm amenable.

3) The only added directives in all this are:

AuthCertificateProvider and

They behave exactly as their counterparts from mod_auth_basic...So far
only mod_authnz_ldap is supported [by this patch], as in:

AuthType Certificate
AuthName "SSL Certificate-Based Authentication"
AuthCertificateProvider ldap
[...followed by AuthLDAP settings, &c.]

I have not sought out commt privileges on the project.  I'm not sure
this is the sort of feature we should be adding directly to 2.2.x, even
if I was able to.  What I would like is for other people with interest
in the problem space to try this patch out in their own environments and
get back to me and the community and with suggestions and observations.


  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message