httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sebastian Reitenbach <sebas...@l00-bugdead-prods.de>
Subject combine client certificate authentication with ldap based authentication
Date Mon, 15 Dec 2008 08:55:25 GMT
Hi,

I want to authenticate users on apache. In case they have a valid x509 
client certificate in their browser for authentication, then that should be 
sufficient. In case the client does not have such a certificate, the user 
should be able to authenticate via username/password against ldap.

I got both working on its own, but when I try to combine both, and I have a 
x509 certificate, then it still asks for a username/password.

<VirtualHost _default_:443>
    ServerName test.intern
    HostnameLookups Off

    SSLEngine on
    SSLCertificateFile /etc/apache2/certs/server.crt
    SSLCertificateKeyFile /etc/apache2/certs/server.key
    SSLCertificateChainFile /etc/apache2/certs/ca.crt
    SSLCACertificateFile /etc/apache2/certs/ca.crt


    CustomLog /var/log/apache2/ssl_test_request_log   ssl_combined

    <Location /ssl>
        Order deny,allow
        Deny from all
        Allow from 127.0.0.1

        Satisfy              any

        SSLRequireSSL

        #SSLVerifyClient optional
        SSLVerifyClient require
        SSLVerifyDepth 9
        SSLOptions +FakeBasicAuth +StrictRequire
        AuthUserFile         /etc/apache2/conf.d/httpd.passwd
        require              valid-user

        AuthType Basic
        AuthBasicProvider "ldap"
        AuthName "TEST Login"
        AuthLDAPUrl "ldap://ldap:389/ou=people,dc=intern"
        AuthzLDAPAuthoritative off
        require ldap-user testuser
    </Location>
</VirtualHost>


I'm not sure, when I read the manual, whether the Satisfy any is relevant 
for my case at all.

Any pointer into the right direction is highly appreciated.

kind regards
Sebastian


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message