Return-Path: X-Original-To: apmail-httpd-users-archive@www.apache.org Delivered-To: apmail-httpd-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 91CA68E97 for ; Mon, 8 Aug 2011 09:47:10 +0000 (UTC) Received: (qmail 22975 invoked by uid 500); 8 Aug 2011 09:47:06 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 21796 invoked by uid 500); 8 Aug 2011 09:46:46 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 21780 invoked by uid 99); 8 Aug 2011 09:46:42 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 08 Aug 2011 09:46:42 +0000 X-ASF-Spam-Status: No, hits=4.0 required=5.0 tests=FREEMAIL_FROM,FREEMAIL_REPLY,HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS,T_TO_NO_BRKTS_FREEMAIL X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of marsanvi@gmail.com designates 209.85.210.173 as permitted sender) Received: from [209.85.210.173] (HELO mail-iy0-f173.google.com) (209.85.210.173) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 08 Aug 2011 09:46:35 +0000 Received: by iyk2 with SMTP id 2so9605251iyk.32 for ; Mon, 08 Aug 2011 02:46:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-type; bh=Ot7SkUL/WeMtmsoZHumYpPLDmrmErGOMAsKTOcuJxrk=; b=v8gD/1IttfWsmIny4X3CKA2QfRhmTW+ijaAUBIDVDu8MOS64OX74mUZRZFPb7Bvvud NqZO7+SUkyTuJZKuCRtqWT5BAoGRd9i6DBu7YHWvddAhKSj5Ngr0LIqokiTfMH7td8XT NekAVrZ4n2ARhmmFaK0KFCKQ/cP5hJo4NYJIQ= Received: by 10.42.161.8 with SMTP id r8mr5814671icx.45.1312796775120; Mon, 08 Aug 2011 02:46:15 -0700 (PDT) MIME-Version: 1.0 Received: by 10.42.117.6 with HTTP; Mon, 8 Aug 2011 02:45:55 -0700 (PDT) In-Reply-To: References: From: Martin Sanchez Date: Mon, 8 Aug 2011 11:45:55 +0200 Message-ID: To: users@httpd.apache.org Content-Type: multipart/alternative; boundary=90e6ba6e8a5e717ecf04a9fb5143 Subject: Re: [users@httpd] LDAP validation using certificates --90e6ba6e8a5e717ecf04a9fb5143 Content-Type: text/plain; charset=ISO-8859-1 Hi, Thank you for the reply. Eric, I know that I can use the mod_ssl to store certificates in one Apache, but I want have the certificates in LDAP because I have two or three Apaches or maybe more in the future and I don't want replicate this files in all Apaches Darren, the problem is that I generate by myself the certificates and I can revoke this certificates, therefor I need to take each certificate from the client to see if it is valid or not. I don't need trust in CA authorities Now I try to recompiling some modules and configure Apache like shows this bug: https://issues.apache.org/bugzilla/show_bug.cgi?id=48780 But there isn't examples how to configure the Apache, I'll tell you how to do this work if I have successful. Kings Regards Martin 2011/8/5 Darren Spruell > On Fri, Aug 5, 2011 at 1:56 AM, Martin Sanchez wrote: > > Hello, > > I've read about this topic in mailing list but I didn't found the > solution. > > I want validate LDAP users against Apache using the certificates than the > > user store in LDAP. > > I mean, I create and store the X509 certificates in LDAP. Afterwards I > send > > to my clients the certificate and they install those certificates in > their > > browsers. > > Now I want validate the users using the certificate instead of the > user-name > > and the password. > > One point on certificate auth - you don't need to have access to > client certificates to validate identities (meaning, you don't need to > consult LDAP or another store containing user certificate data) - you > just need to configure your server to trust the Certificate Authority > (CA) that issued those certificates. This is the fundamental basis of > PKI and X.509 certificate authentication. It's the same way that your > browser trusts an SSL web server (trusted CA store). > > The SSL howto has some resources on this ("Client Authentication and > Access Control"): > > http://httpd.apache.org/docs/2.2/ssl/ssl_howto.html > > mod_ssl has served me well for this in the past: > > http://httpd.apache.org/docs/2.2/mod/mod_ssl.html > > -- > Darren Spruell > phatbuckett@gmail.com > > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP Server Project. > See for more info. > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org > " from the digest: users-digest-unsubscribe@httpd.apache.org > For additional commands, e-mail: users-help@httpd.apache.org > > --90e6ba6e8a5e717ecf04a9fb5143 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable
Hi,

Thank you for the reply.

Eric, I know that I can use the mod_ssl to store certificates in o= ne Apache, but I want have the certificates in LDAP because I have two or t= hree Apaches or maybe more in the future and I don't want replicate thi= s files in all Apaches

Darren, the problem is that I generate by myself the ce= rtificates and I can revoke this certificates, therefor I need to take each= certificate from the client to see if it is valid or not. I don't need= trust in CA authorities

Now I try to recompiling some modules and configure Apa= che like shows this bug:


But there isn't examples how to configure the Apach= e, I'll tell you how to do this work if I have successful.
Kings Regards

Martin



2011/8/5 Darren Spruell <phatbuckett@gmail.com>= ;
On Fri, Aug 5, 2011 at 1:56 AM, Martin Sanchez <marsanvi@gmail.com> wrote:
> Hello,
> I've read about this topic in mailing list but I didn't found = the solution.
> I want validate LDAP users against Apache using the certificates than = the
> user store in LDAP.
> I mean, I create and store the X509 certificates in LDAP. Afterwards I= send
> to my clients the certificate and they install those certificates in t= heir
> browsers.
> Now I want validate the users using the certificate instead of the use= r-name
> and the password.

One point on certificate auth - you don't need to have access to<= br> client certificates to validate identities (meaning, you don't need to<= br> consult LDAP or another store containing user certificate data) - you
just need to configure your server to trust the Certificate Authority
(CA) that issued those certificates. This is the fundamental basis of
PKI and X.509 certificate authentication. It's the same way that your browser trusts an SSL web server (trusted CA store).

The SSL howto has some resources on this ("Client Authentication and Access Control"):

http://httpd.apache.org/docs/2.2/ssl/ssl_howto.html

mod_ssl has served me well for this in the past:

http://httpd.apache.org/docs/2.2/mod/mod_ssl.html

--
Darren Spruell
phatbuckett@gmail.com

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.<= br> See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
=A0 " =A0 from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


--90e6ba6e8a5e717ecf04a9fb5143--