httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Martin Sanchez <marsa...@gmail.com>
Subject Re: [users@httpd] LDAP validation using certificates
Date Mon, 08 Aug 2011 09:45:55 GMT
Hi,

Thank you for the reply.

Eric, I know that I can use the mod_ssl to store certificates in one Apache,
but I want have the certificates in LDAP because I have two or three Apaches
or maybe more in the future and I don't want replicate this files in all
Apaches

Darren, the problem is that I generate by myself the certificates and I can
revoke this certificates, therefor I need to take each certificate from the
client to see if it is valid or not. I don't need trust in CA authorities

Now I try to recompiling some modules and configure Apache like shows this
bug:

https://issues.apache.org/bugzilla/show_bug.cgi?id=48780

But there isn't examples how to configure the Apache, I'll tell you how to
do this work if I have successful.

Kings Regards

Martin



2011/8/5 Darren Spruell <phatbuckett@gmail.com>

> On Fri, Aug 5, 2011 at 1:56 AM, Martin Sanchez <marsanvi@gmail.com> wrote:
> > Hello,
> > I've read about this topic in mailing list but I didn't found the
> solution.
> > I want validate LDAP users against Apache using the certificates than the
> > user store in LDAP.
> > I mean, I create and store the X509 certificates in LDAP. Afterwards I
> send
> > to my clients the certificate and they install those certificates in
> their
> > browsers.
> > Now I want validate the users using the certificate instead of the
> user-name
> > and the password.
>
> One point on certificate auth - you don't need to have access to
> client certificates to validate identities (meaning, you don't need to
> consult LDAP or another store containing user certificate data) - you
> just need to configure your server to trust the Certificate Authority
> (CA) that issued those certificates. This is the fundamental basis of
> PKI and X.509 certificate authentication. It's the same way that your
> browser trusts an SSL web server (trusted CA store).
>
> The SSL howto has some resources on this ("Client Authentication and
> Access Control"):
>
> http://httpd.apache.org/docs/2.2/ssl/ssl_howto.html
>
> mod_ssl has served me well for this in the past:
>
> http://httpd.apache.org/docs/2.2/mod/mod_ssl.html
>
> --
> Darren Spruell
> phatbuckett@gmail.com
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

Mime
View raw message