httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jose Correia (J)" <Corr...@telkom.co.za>
Subject RE: mod-ssl and authz modules
Date Fri, 23 Aug 2002 14:15:41 GMT
Hi Dirk

thanks for replying.

Still no success...

In your step 2 below, in order to disable SSL, you only mention to
comment out those two lines:

# SSLEngine On
# SSLCertificateFile	..../intranet.bar.com.pem


Are these the only two SSL lines I need to comment out?? What about
lines like "SSLCertificateKeyFile /opt/apache/conf/ssl.key/server.key"
??

I have then inserted the following inside Directory /servlet (as seen
below) and commented out "# SSLOptions +StdEnvVars +ExportCertData"
-as seen below too:

<Directory "/servlet">

    #Jose 21/08/2002 -  Inserted to get mod_authz_ldap authentication
going
    #SSLRequireSSL

     AuthName        AuthzLDAP
     AuthType        Basic
     AuthzLDAPServer "localhost:389"

     AuthzLDAPUserKey     users
     AuthzLDAPUserBase    ou=users,o=telkom
     AuthzLDAPUserScope   base

     require valid-user
     # SSLOptions +StdEnvVars +ExportCertData
</Directory>

When I call a servlet, I get the IE page error "The page cannot be
displayed error".

Any clues, please?

Thanks a lot
Jose Correia



-----Original Message-----
From: Dirk-Willem van Gulik [mailto:dirkx@webweaving.org]
Sent: 23 August 2002 14:57
To: users@httpd.apache.org
Subject: Re: mod-ssl and authz modules




On Fri, 23 Aug 2002, Jose Correia (J) wrote:

> I'm trying to config mod_ssl inside apache's httpd.conf to just do
> basic authentication i.e. I don't want it to request the client for
a
> certficate. How does one do that exactly?
>
> My basic authentication module is mod_authz_ldap which connects to
an
> openldap database.

The two are totally separate; so you may want to make sure that the
above
works perfectly before adding the SSL layer.

> I tried setting the "SSLVerifyClient" to none but the client browser
> still gives a warning and doesn't show the basic authentication
login
> dialog.

Correct; that is not the right approach. Assuming you want to use
Basic
Auth over SSL, this is what I usually do

1.	Get SSL to work on https://intranet.bar.com/

	<VirtualHost intranet.bar.com:443>
		..
		SSLEngine On
		SSLCertificateFile	..../intranet.bar.com.pem
		...
		DocumentRoot /foo
		<Directory /foo>
			...
		</Directory>
	</VirtualHost>

2.	Disable SSL and then get BasicAuth to work with
	the right backend onm http://intranet.bar.com/

	<VirtualHost intranet.bar.com:80>
		...
		# SSLEngine On
		# SSLCertificateFile	..../intranet.bar.com.pem
		...
		<Directory /foo>
			AuthType Basic
			AuthName Intranet
			...
		</Directory>
	</VirtualHost>

3.	Then combine
	<VirtualHost intranet.bar.com:443>
		...
		SSLEngine On
		SSLCertificateFile	..../intranet.bar.com.pem
		...
		<Directory /foo>
			AuthType Basic
			AuthName Intranet
			...
		</Directory>
	</VirtualHost>

At any time; keep a

	tail -f .../logs/error_log

as this is where you will see most of the action.

Dw


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server
Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message