You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Knacktus <kn...@googlemail.com> on 2014/10/26 10:37:33 UTC

[users@httpd] Map ClientCertificate to AD User with different DN

Hi all,

I'm stuck with mapping a PKI ClientCertificate from a Smartcard to the
corresponding Active Directory entry using the standard modules and
functionality. The information of how to identify the user in AD is
available in the ClientCertificate, but it seems in a not directly usable
way. Somehow IIS (which is really the last resort) does it somehow with
it's certificate mapping functionality. Probably by converting the
Certificates to the same encoding, but that's just a guess. Here's the
scenario.

1. Authentiaction is done by a ClientCertifikate (mod_ssl). The DN of the
subject is

CN=joe meyer PKI 3423RI324

The last token is a unique employeeID. Of course the whole certificate
is available in PEM encoding in the variable SSL_CLIENT_CERT

2. As far as I understand the ldad_modules, for authorisation I need to
first get the user object from AD (trying with mod_authz_lpad) and then
check for group membership. However, in AD there are only two entries which
can be found in the ClientCertificate: The certificate itself as
attribute userCertificate
and the employeeID, which is the last unique part of the CN. The CN in AD
is a completely different and unrelated, like JWDI2K.

My first attempt was to use the ClientCertificate as SSLUserName

SSLUserName SSL_CLIENT_CERT
...
AuthLDAPURL ldap://ldap.example.com/o=Example?userCertificate

This didn't work. Actually I can only guess due to encoding differences.I
don't know how the certificate in AD is stored. ADSearcher (the Windows
tool) says as octet string.

My second idea is to extract the unique employeeID from the ClientCerficate
and connect to AD via the attribute employeeID. Now, I must confess it's my
first go with Apache and I don't even know if it's conceptionally possible
to set a custom global username based on environment variables and
expressions. Or if the username is by purpose hidden and protected against
such "nasty" hacks.

SSLUserName SSL_CLIENT_S_DN_CN (.SplitAndTakeTheLastToken ... How-To?)
How is SSLUserName to an interally used UserName or REMOTE_USER
related?

AuthLDAPURL ldap://ldap.example.com/o=Example?employeeID

Anyway, I'm stuck. Is there a way to handle this by directives at all or do
I need to use any kind of programming interface to Apache? Unfortunately
I'm quite new to Apache. Are there ways apart from writing modules for
hooking up little scripts?

Cheers,

Jan