Return-Path: 
 <users-return-12774-apmail-httpd-users-archive=httpd.apache.org@httpd.apache.org>
Delivered-To: apmail-httpd-users-archive@httpd.apache.org
Received: (qmail 8154 invoked by uid 500); 23 Aug 2002 12:57:01 -0000
Mailing-List: contact users-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: users@httpd.apache.org
list-help: <mailto:users-help@httpd.apache.org>
list-unsubscribe: <mailto:users-unsubscribe@httpd.apache.org>
list-post: <mailto:users@httpd.apache.org>
Delivered-To: mailing list users@httpd.apache.org
Received: (qmail 8078 invoked from network); 23 Aug 2002 12:57:00 -0000
Received: from fia224-72.dsl.hccnet.nl (HELO foem.leiden.webweaving.org)
 (62.251.72.224)
  by daedalus.apache.org with SMTP; 23 Aug 2002 12:57:00 -0000
Received: from foem (foem [10.11.0.2])
	by foem.leiden.webweaving.org (8.12.5/8.12.5) with ESMTP id g7NCv0oQ065966
	(version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO)
	for <users@httpd.apache.org>; Fri, 23 Aug 2002 14:57:00 +0200 (CEST)
	(envelope-from dirkx@webweaving.org)
Date: Fri, 23 Aug 2002 14:57:00 +0200 (CEST)
From: Dirk-Willem van Gulik <dirkx@webweaving.org>
X-X-Sender: dirkx@foem.leiden.webweaving.org
To: users@httpd.apache.org
Subject: Re: mod-ssl and authz modules
In-Reply-To: 
 <C4A1C30D4E65F949817239A698DCD50D33DCFB@TYGRRA01-XCS00.telkom.co.za>
Message-ID: <20020823145304.T65785-100000@foem.leiden.webweaving.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N



On Fri, 23 Aug 2002, Jose Correia (J) wrote:

> I'm trying to config mod_ssl inside apache's httpd.conf to just do
> basic authentication i.e. I don't want it to request the client for a
> certficate. How does one do that exactly?
>
> My basic authentication module is mod_authz_ldap which connects to an
> openldap database.

The two are totally separate; so you may want to make sure that the above
works perfectly before adding the SSL layer.

> I tried setting the "SSLVerifyClient" to none but the client browser
> still gives a warning and doesn't show the basic authentication login
> dialog.

Correct; that is not the right approach. Assuming you want to use Basic
Auth over SSL, this is what I usually do

1.	Get SSL to work on https://intranet.bar.com/

	<VirtualHost intranet.bar.com:443>
		..
		SSLEngine On
		SSLCertificateFile	..../intranet.bar.com.pem
		...
		DocumentRoot /foo
		<Directory /foo>
			...
		</Directory>
	</VirtualHost>

2.	Disable SSL and then get BasicAuth to work with
	the right backend onm http://intranet.bar.com/

	<VirtualHost intranet.bar.com:80>
		...
		# SSLEngine On
		# SSLCertificateFile	..../intranet.bar.com.pem
		...
		<Directory /foo>
			AuthType Basic
			AuthName Intranet
			...
		</Directory>
	</VirtualHost>

3.	Then combine
	<VirtualHost intranet.bar.com:443>
		...
		SSLEngine On
		SSLCertificateFile	..../intranet.bar.com.pem
		...
		<Directory /foo>
			AuthType Basic
			AuthName Intranet
			...
		</Directory>
	</VirtualHost>

At any time; keep a

	tail -f .../logs/error_log

as this is where you will see most of the action.

Dw


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org