httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Martin Sanchez <>
Subject Re: [users@httpd] LDAP validation using certificates
Date Mon, 08 Aug 2011 09:45:55 GMT

Thank you for the reply.

Eric, I know that I can use the mod_ssl to store certificates in one Apache,
but I want have the certificates in LDAP because I have two or three Apaches
or maybe more in the future and I don't want replicate this files in all

Darren, the problem is that I generate by myself the certificates and I can
revoke this certificates, therefor I need to take each certificate from the
client to see if it is valid or not. I don't need trust in CA authorities

Now I try to recompiling some modules and configure Apache like shows this

But there isn't examples how to configure the Apache, I'll tell you how to
do this work if I have successful.

Kings Regards


2011/8/5 Darren Spruell <>

> On Fri, Aug 5, 2011 at 1:56 AM, Martin Sanchez <> wrote:
> > Hello,
> > I've read about this topic in mailing list but I didn't found the
> solution.
> > I want validate LDAP users against Apache using the certificates than the
> > user store in LDAP.
> > I mean, I create and store the X509 certificates in LDAP. Afterwards I
> send
> > to my clients the certificate and they install those certificates in
> their
> > browsers.
> > Now I want validate the users using the certificate instead of the
> user-name
> > and the password.
> One point on certificate auth - you don't need to have access to
> client certificates to validate identities (meaning, you don't need to
> consult LDAP or another store containing user certificate data) - you
> just need to configure your server to trust the Certificate Authority
> (CA) that issued those certificates. This is the fundamental basis of
> PKI and X.509 certificate authentication. It's the same way that your
> browser trusts an SSL web server (trusted CA store).
> The SSL howto has some resources on this ("Client Authentication and
> Access Control"):
> mod_ssl has served me well for this in the past:
> --
> Darren Spruell
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:> for more info.
> To unsubscribe, e-mail:
>   "   from the digest:
> For additional commands, e-mail:

View raw message