httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eric Covener" <cove...@gmail.com>
Subject Re: combine client certificate authentication with ldap based authentication
Date Mon, 15 Dec 2008 12:53:08 GMT
On Mon, Dec 15, 2008 at 3:55 AM, Sebastian Reitenbach
<sebastia@l00-bugdead-prods.de> wrote:
> Hi,
>
> I want to authenticate users on apache. In case they have a valid x509
> client certificate in their browser for authentication, then that should be
> sufficient. In case the client does not have such a certificate, the user
> should be able to authenticate via username/password against ldap.
>
> I got both working on its own, but when I try to combine both, and I have a
> x509 certificate, then it still asks for a username/password.
>
> <VirtualHost _default_:443>
>    ServerName test.intern
>    HostnameLookups Off
>
>    SSLEngine on
>    SSLCertificateFile /etc/apache2/certs/server.crt
>    SSLCertificateKeyFile /etc/apache2/certs/server.key
>    SSLCertificateChainFile /etc/apache2/certs/ca.crt
>    SSLCACertificateFile /etc/apache2/certs/ca.crt
>
>
>    CustomLog /var/log/apache2/ssl_test_request_log   ssl_combined
>
>    <Location /ssl>
>        Order deny,allow
>        Deny from all
>        Allow from 127.0.0.1
>
>        Satisfy              any
>
>        SSLRequireSSL
>
>        #SSLVerifyClient optional
>        SSLVerifyClient require
>        SSLVerifyDepth 9
>        SSLOptions +FakeBasicAuth +StrictRequire
>        AuthUserFile         /etc/apache2/conf.d/httpd.passwd
>        require              valid-user
>
>        AuthType Basic
>        AuthBasicProvider "ldap"
>        AuthName "TEST Login"
>        AuthLDAPUrl "ldap://ldap:389/ou=people,dc=intern"
>        AuthzLDAPAuthoritative off
>        require ldap-user testuser
>    </Location>
> </VirtualHost>
>
>
> I'm not sure, when I read the manual, whether the Satisfy any is relevant
> for my case at all.
>
> Any pointer into the right direction is highly appreciated.

I think to test the FakeBasic stuff first you'd need:

AuthBasicProvider file ldap

But I also think users would be able to type in cert details + the
magic FakeBasic password.  Additionaly, for every user in the file, if
they didn't use a cert it would never be let in because the "file"
provider would see that they were actually in the file and not
DECLINE.

Maybe SSLUsername instead of FakeBasic would be another avenue?

http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslusername

I do think there is just a littlte bit missing in Apache to let this
work -- mod_ssl might need to participate a little in the basic auth
stuff to let some of the fancy configs work.

Please let us know how it works out!

-- 
Eric Covener
covener@gmail.com

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message