Return-Path: X-Original-To: apmail-httpd-users-archive@www.apache.org Delivered-To: apmail-httpd-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 707CE17ABB for ; Sun, 26 Oct 2014 09:38:04 +0000 (UTC) Received: (qmail 88058 invoked by uid 500); 26 Oct 2014 09:38:00 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 88021 invoked by uid 500); 26 Oct 2014 09:38:00 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 88010 invoked by uid 99); 26 Oct 2014 09:38:00 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 26 Oct 2014 09:38:00 +0000 X-ASF-Spam-Status: No, hits=1.5 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of knacktus@googlemail.com designates 209.85.213.180 as permitted sender) Received: from [209.85.213.180] (HELO mail-ig0-f180.google.com) (209.85.213.180) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 26 Oct 2014 09:37:34 +0000 Received: by mail-ig0-f180.google.com with SMTP id uq10so3550870igb.7 for ; Sun, 26 Oct 2014 02:37:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=wrp2HYxAXNx4/7EY0dVO5GXoFEdkEu90bEH33hTQzLY=; b=R18Z74/CK15I3SeCuUYvCVkt+qqF+RucBVNA55bhVJCknKUU9tidYK/BorKzWCHY1z YAgPVdQlni2OroeOJbdtkM0M0xGZB6qyr0ZN/OYE/xSs+KXTr6u3iZdMJtjQd7iZvtr+ d3VFajz7kA2EpxH9MWrL1wuqihl+QHC2Ju8mJkFGpyiwFFTInR7qBiCdD8ZgGpMFuEu8 n8q0IV7w/jPWeFFQTfUWMZW0xnA7HTj7V4lyAeVlHF8rCm5C5vsMvC2X057qIx3E3QL9 t2PymUESyM87iYwNZ7hHx4sHkPV+DFeDanKz+/jSIriIgqlFESUdq7Mq1knXiqCPTnrX NVYw== MIME-Version: 1.0 X-Received: by 10.50.41.34 with SMTP id c2mr14718546igl.5.1414316253455; Sun, 26 Oct 2014 02:37:33 -0700 (PDT) Received: by 10.107.10.95 with HTTP; Sun, 26 Oct 2014 02:37:33 -0700 (PDT) Date: Sun, 26 Oct 2014 10:37:33 +0100 Message-ID: From: Knacktus To: users@httpd.apache.org Content-Type: multipart/alternative; boundary=089e01183b60e32b3a0506502968 X-Virus-Checked: Checked by ClamAV on apache.org Subject: [users@httpd] Map ClientCertificate to AD User with different DN --089e01183b60e32b3a0506502968 Content-Type: text/plain; charset=UTF-8 Hi all, I'm stuck with mapping a PKI ClientCertificate from a Smartcard to the corresponding Active Directory entry using the standard modules and functionality. The information of how to identify the user in AD is available in the ClientCertificate, but it seems in a not directly usable way. Somehow IIS (which is really the last resort) does it somehow with it's certificate mapping functionality. Probably by converting the Certificates to the same encoding, but that's just a guess. Here's the scenario. 1. Authentiaction is done by a ClientCertifikate (mod_ssl). The DN of the subject is CN=joe meyer PKI 3423RI324 The last token is a unique employeeID. Of course the whole certificate is available in PEM encoding in the variable SSL_CLIENT_CERT 2. As far as I understand the ldad_modules, for authorisation I need to first get the user object from AD (trying with mod_authz_lpad) and then check for group membership. However, in AD there are only two entries which can be found in the ClientCertificate: The certificate itself as attribute userCertificate and the employeeID, which is the last unique part of the CN. The CN in AD is a completely different and unrelated, like JWDI2K. My first attempt was to use the ClientCertificate as SSLUserName SSLUserName SSL_CLIENT_CERT ... AuthLDAPURL ldap://ldap.example.com/o=Example?userCertificate This didn't work. Actually I can only guess due to encoding differences.I don't know how the certificate in AD is stored. ADSearcher (the Windows tool) says as octet string. My second idea is to extract the unique employeeID from the ClientCerficate and connect to AD via the attribute employeeID. Now, I must confess it's my first go with Apache and I don't even know if it's conceptionally possible to set a custom global username based on environment variables and expressions. Or if the username is by purpose hidden and protected against such "nasty" hacks. SSLUserName SSL_CLIENT_S_DN_CN (.SplitAndTakeTheLastToken ... How-To?) How is SSLUserName to an interally used UserName or REMOTE_USER related? AuthLDAPURL ldap://ldap.example.com/o=Example?employeeID Anyway, I'm stuck. Is there a way to handle this by directives at all or do I need to use any kind of programming interface to Apache? Unfortunately I'm quite new to Apache. Are there ways apart from writing modules for hooking up little scripts? Cheers, Jan --089e01183b60e32b3a0506502968 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Hi all,

I'm stuck with map= ping a PKI ClientCertificate from a Smartcard to the corresponding Active D= irectory entry using the standard modules and functionality. The informatio= n of how to identify the user in AD is available in the ClientCertificate, = but it seems in a not directly usable way. Somehow IIS (which is really the= last resort) does it somehow with it's certificate mapping functionali= ty. Probably by converting the Certificates to the same encoding, but that&= #39;s just a guess. Here's the scenario.

1. Aut= hentiaction is done by a ClientCertifikate (mod_ssl). The DN of the subject= is 
CN=3Djoe meyer PKI 3423RI324

The last token is a unique employ=
eeID. Of course the whole certificate is available in PEM encoding in the v=
ariable SSL_CLIENT_CERT
2. As far as I understand the ldad_modules, for authorisation I need to first = get the user object from AD (trying=20 with mod_authz_lpad) and then check for group membership. However, in AD=20 there are only two entries which can be found in the ClientCertificate:=20 The certificate itself as attribute userCertificate and the employeeID,=20 which is the last unique part of the CN. The CN in AD is a completely=20 different and unrelated, like JWDI2K.

My first attempt was to use the Clien= tCertificate as SSLUserName
SSLUserName SSL_CLIENT_CERT
...
AuthLDAPURL ldap://ldap.example.com/o=3DExample?userCertificate<=
/code>
This didn't work. Actually I can only guess due to encoding differences.I= =20 don't know how the certificate in AD is stored. ADSearcher (the Windows= =20 tool) says as octet strin= g.

My second idea is to extract the unique employeeID from the Clien= tCerficate and connect to AD via the attribute employeeID. Now, I must confess it's my fi= rst go with Apache and I don't even know if it's conceptionally pos= sible to set a custom global username based on environment variables and ex= pressions. Or if the username is by purpose hidden and protected against su= ch "nasty" hacks.

SSLUserName SSL_CLIENT_S_DN_C=
N (.SplitAndTakeTheLastTo=
ken ... How-To?) How is SSLUserName to an interally used UserName or REMOTE=
_USER related?
AuthLDAPURL ldap://ldap.exam=
ple.com/o=3DExample?employeeID
Anyway, I'm stuck. Is there a way to handle this by directives at all or do I= =20 need to use any kind of programming interface to Apache? Unfortunately=20 I'm quite new to Apache. Are there ways apart from writing modules for= =20 hooking up little scripts?

Cheers,

Jan
--089e01183b60e32b3a0506502968--