httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Darren Spruell <phatbuck...@gmail.com>
Subject Re: [users@httpd] LDAP validation using certificates
Date Fri, 05 Aug 2011 11:31:45 GMT
On Fri, Aug 5, 2011 at 1:56 AM, Martin Sanchez <marsanvi@gmail.com> wrote:
> Hello,
> I've read about this topic in mailing list but I didn't found the solution.
> I want validate LDAP users against Apache using the certificates than the
> user store in LDAP.
> I mean, I create and store the X509 certificates in LDAP. Afterwards I send
> to my clients the certificate and they install those certificates in their
> browsers.
> Now I want validate the users using the certificate instead of the user-name
> and the password.

One point on certificate auth - you don't need to have access to
client certificates to validate identities (meaning, you don't need to
consult LDAP or another store containing user certificate data) - you
just need to configure your server to trust the Certificate Authority
(CA) that issued those certificates. This is the fundamental basis of
PKI and X.509 certificate authentication. It's the same way that your
browser trusts an SSL web server (trusted CA store).

The SSL howto has some resources on this ("Client Authentication and
Access Control"):

http://httpd.apache.org/docs/2.2/ssl/ssl_howto.html

mod_ssl has served me well for this in the past:

http://httpd.apache.org/docs/2.2/mod/mod_ssl.html

-- 
Darren Spruell
phatbuckett@gmail.com

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message