You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by o haya <oh...@yahoo.com.INVALID> on 2016/05/04 15:39:57 UTC
[users@httpd] Problems with ""sequencing" of FakeBasicAuth vs. Require using
client certs for Authentication
Hi,
We are trying to use client certs with Apache 2.4.x (2.4.16) and to have Apache check the client cert strings against users in an LDAP (and OpenDS instance but are encountering what appears to be a timing problem between when Apache authz_core is doing the authentication vs. when the FakeBasicAuth is happening.
We CAN already do username/password (Basic) authentication against the LDAP using something like:
AuthType Basic
AuthName "xyz"
AuthBasicProvider ldap
AuthBasicLDAPURL
AuthBASICLDAPDN
AuthBASICLDAPPassword
Require valid-user
and that works fine.
However, if we use client certs and do the following:
SSLVerifyClientCertificate
SSLOptions +FakeBasicAuth
AuthType Basic
AuthName "xyz"
AuthBasicProvider ldap
AuthBasicLDAPURL
AuthBASICLDAPDN
AuthBASICLDAPPassword
Require valid-user
then it doesn't work.
Looking at the Apache logs, what we see when this fails is:
mod_authz_core: AH01626: authorization result of Require valid-user : denied (no authenticated user yet) then
mod_authz_core: AH01626: authorization result of <RequireAny>: denied (no authenticated user yet) then
ssl: AH02036: Faking HTTP Basic Auth header: "Authorization: Basic xxxxxxxxxxxxx"
From the logging (as above), it seems like mod_authz_core is denying the authentication (because there is no authenticated user yet) BEFORE the Basic Auth "Faking" occurs, and thus, BEFORE the LDAP authentication occurs.
Does anyone know if this interpretation of what is happening correct?
And, if so, is there some way to configure Apache so that it does the authentication vs. authentication checking in "the correct" order/sequence?
Thanks!
Jim
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Problems with ""sequencing" of FakeBasicAuth vs.
Require using client certs for Authentication
Posted by Eric Covener <co...@gmail.com>.
On Wed, May 4, 2016 at 11:39 AM, o haya <oh...@yahoo.com.invalid> wrote:
> Looking at the Apache logs, what we see when this fails is:
>
> mod_authz_core: AH01626: authorization result of Require valid-user : denied (no authenticated user yet) then
> mod_authz_core: AH01626: authorization result of <RequireAny>: denied (no authenticated user yet) then
> ssl: AH02036: Faking HTTP Basic Auth header: "Authorization: Basic xxxxxxxxxxxxx"
>
> From the logging (as above), it seems like mod_authz_core is denying the authentication (because there is no authenticated user yet) BEFORE the Basic Auth "Faking" occurs, and thus, BEFORE the LDAP authentication occurs.
>
> Does anyone know if this interpretation of what is happening correct?
I don't think the interpretation is entirely right. It clearly didn't
stop processing. authz_core checks for some kind of userless access
control methods early, like "require ip".
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org