You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by "Douglas E. Engert" <de...@anl.gov> on 2004/06/28 22:49:16 UTC
Missing concept in Authentication and Authorization?
I have recently started to look how Authentication and Authorization
in done in Apache, and have looked over Justin Erenkrantz's slides
for "Authentication in Apache HTTP Server 2.1" and have been in touch
with some of the mod_auth_kerb developers. My apologies if this
is already being addressed, but it does not appear so.
There appears to be a missing component in the AAA design, i.e. how
to map the authentication user identity into the identity to be used
for authorization. Multiple authentication identities may map to
the same authorization identity.
The case we are trying to address is that we would like to
accept SSL client certificates, SPNEGO with Kerberos or Kerberos
user/passwords for authentication. We would then like to use
an LDAP database to determine if the authenticated user is acceptable
based on being in the LDAP and a member of selected groups.
With the client certificate the authentication identity is
derived from the subject name and issuer name. With Kerberos the
authentication identity is user@realm. The same user might have both
a certificate and Kerberos principal. In fact we are moving towards
the use of KX509/KCA from the University of Michigan and away from
users ever sending passwords. The KCA issues short term certificates
to a user if the can authenticate with Kerberos to the KCA.
We want to use Windows AD as the LDAP authorization data base. To do
this we need to use the certificate subject name to map to a DN in
ldap, and/or use the Kerberos principal name (userPrincipalName in AD)
to map to a DN in ldap. We can then use mod_auth_ldap to check if the
DN is a member of a group in AD.
(Needless to say the use of local database on the web server such as
used by SSL FakeBasicAuth are not acceptable.)
One way to get the mapping is to use the util_ldap_cache_checkuserid
but don't have it check a password. This function is really doing
two functions: authentication and mapping. They should be separated.
We currently have a mod in util_ldap.c to do this, with a change to
util_ldap.h as well.
As I am new to Apache, but not to authentication, I am hoping to
see if any of these ideas are being addressed in upcoming versions.
Thanks.
--
Douglas E. Engert <DE...@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444