You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Gayal <ga...@gmail.com> on 2006/12/27 12:19:00 UTC
[users@httpd] SSO on Apache
Hi,
What are the possible Single Sign On ways available in Apache to
authenticate users from a Domain Controller.
--
Gayal Rupasinghe
SU-APIIT
"The willingness to make a commitment even when results are unknown."
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] SSO on Apache
Posted by Gayal <ga...@gmail.com>.
I added LoadModule ldap_module modules/mod_ldap.so to the httpd.conf file.
And change the .htaccess file as below
SetHandler ldap-status
Order deny,allow
Deny from all
Allow from yourdomain.example.com
#AuthLDAPURL ldap://127.0.0.1/dc=example,dc=com?uid?one
#AuthzLDAPAuthoritative off
require valid-user
changed the, yourdomain.example.com to actual one.
Now i get this error:
[Wed Dec 27 18:08:20 2006] [error] [client 127.0.0.1] client denied by
server configuration: C:/Program Files/Apache Software
Foundation/Apache2.2/htdocs/test
On 12/27/06, Davide Bianchi <da...@onlyforfun.net> wrote:
> Gayal wrote:
> > What are the possible Single Sign On ways available in Apache to
> > authenticate users from a Domain Controller.
>
> Use the ldap_auth module and point it to your Domain Controller.
> Davide
>
> --
> "Microsoft technology" -- isn't that an oxymoron?
> -- Gareth Barnard
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
--
Gayal Rupasinghe
SU-APIIT
"The willingness to make a commitment even when results are unknown."
[users@httpd] Apache and client certs
Posted by Ma...@ssb.it.
Hello everyone!
I've an apache 2.2 WebServer that is working as a reverse proxy for a
WebSphere application server that is on a separate machine.
Now I have a web application that need an information that is included in
a client certificate field (OU).
I would like to know if, with apache, is possible to obtain a
configuration where the webserver requires the client cert but doesn't
verify it and pass it to the application server that can verify it.
I have such a configuration with IBM http Server. Here there is a
directive in the http server configuration file that let you specify
"passthrough" value for client cert.
Please let me know!
Thanks in advance
Manuela Vorazzo
Re: [users@httpd] Apache and client certs
Posted by Serge Dubrouski <se...@gmail.com>.
On 1/2/07, Manuela.Vorazzo@ssb.it <Ma...@ssb.it> wrote:
>
>
> Thanks a lot!
> I've just tested WebSphere PlugIn, but the result is the same as using
> reverse proxy for contact the backend server. It desn't work!!!!
>
> I think that the only solution in a short time for me is to modify my
> webapplication.
> I can made my application asking for client cetificate in the web.xml but
> I don't like it very much!!!!
>
> Is there something else could you suggest me?
>
> If, for example, I could using Tomcat instead of WebSphere, are you sure I
> will be able to pass client certificate information to the application
> server only using mod_ssl and mod_proxy or....... have I to add mod_jk too?
You'll have to use mod_jk.
Please let me know.
>
> Thanks
>
>
> manuciao
>
>
> *"Serge Dubrouski" <se...@gmail.com>*
>
> 30/12/2006 16.32 Please respond to
> users@httpd.apache.org
>
> To
> users@httpd.apache.org cc
> Subject
> Re: [users@httpd] Apache and client certs
>
>
>
>
> On 12/30/06, toadie D <to...@gmail.com> wrote:
> > It is possible to use reverse proxy to pass a PEM Encoded Certificate as
> a
> > HTTP header to a backend server.
> >
> > Make sure you have this directive in your config file
> >
> > SSLOptions +ExportCertData
> >
> > Then use mod_headers to set the header
> >
> > RequestHeader MY_CLIENT_CERT %{SSL_CLIENT_CERT}s
> >
> >
> > You can find more info here
> > http://httpd.apache.org/docs/2.2/mod/mod_ssl.html and
> > here http://httpd.apache.org/docs/2.2/mod/mod_headers.html
> >
> > One caveat, depending on which version of apache you use (2.0.x or 2.2.x
> ),
> > the PEM encoded Certificate may across a bit strange (ie. not
> conforming to
> > multiline HTTP header).
>
> And not recognizable by backend application.
>
> > So you may see your header looking like this
> >
> > MY_CLIENT_CERT: ----- BEGIN CERTIFICATE -----[blanks no CRLF] [First
> line of
> > base64 encoded data] [ blanks no CRLF ] [Second line of base64 encoded
> data]
> > ..... ---- END CERTIFICATE -----
> >
> >
> >
> >
> >
> >
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
>
Re: [users@httpd] Apache and client certs
Posted by Ma...@ssb.it.
Thanks a lot!
I've just tested WebSphere PlugIn, but the result is the same as using
reverse proxy for contact the backend server. It desn't work!!!!
I think that the only solution in a short time for me is to modify my
webapplication.
I can made my application asking for client cetificate in the web.xml but
I don't like it very much!!!!
Is there something else could you suggest me?
If, for example, I could using Tomcat instead of WebSphere, are you sure I
will be able to pass client certificate information to the application
server only using mod_ssl and mod_proxy or....... have I to add mod_jk
too?
Please let me know.
Thanks
manuciao
"Serge Dubrouski" <se...@gmail.com>
30/12/2006 16.32
Please respond to
users@httpd.apache.org
To
users@httpd.apache.org
cc
Subject
Re: [users@httpd] Apache and client certs
On 12/30/06, toadie D <to...@gmail.com> wrote:
> It is possible to use reverse proxy to pass a PEM Encoded Certificate as
a
> HTTP header to a backend server.
>
> Make sure you have this directive in your config file
>
> SSLOptions +ExportCertData
>
> Then use mod_headers to set the header
>
> RequestHeader MY_CLIENT_CERT %{SSL_CLIENT_CERT}s
>
>
> You can find more info here
> http://httpd.apache.org/docs/2.2/mod/mod_ssl.html and
> here http://httpd.apache.org/docs/2.2/mod/mod_headers.html
>
> One caveat, depending on which version of apache you use (2.0.x or
2.2.x),
> the PEM encoded Certificate may across a bit strange (ie. not
conforming to
> multiline HTTP header).
And not recognizable by backend application.
> So you may see your header looking like this
>
> MY_CLIENT_CERT: ----- BEGIN CERTIFICATE -----[blanks no CRLF] [First
line of
> base64 encoded data] [ blanks no CRLF ] [Second line of base64 encoded
data]
> ..... ---- END CERTIFICATE -----
>
>
>
>
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Apache and client certs
Posted by Serge Dubrouski <se...@gmail.com>.
On 12/30/06, toadie D <to...@gmail.com> wrote:
> It is possible to use reverse proxy to pass a PEM Encoded Certificate as a
> HTTP header to a backend server.
>
> Make sure you have this directive in your config file
>
> SSLOptions +ExportCertData
>
> Then use mod_headers to set the header
>
> RequestHeader MY_CLIENT_CERT %{SSL_CLIENT_CERT}s
>
>
> You can find more info here
> http://httpd.apache.org/docs/2.2/mod/mod_ssl.html and
> here http://httpd.apache.org/docs/2.2/mod/mod_headers.html
>
> One caveat, depending on which version of apache you use (2.0.x or 2.2.x),
> the PEM encoded Certificate may across a bit strange (ie. not conforming to
> multiline HTTP header).
And not recognizable by backend application.
> So you may see your header looking like this
>
> MY_CLIENT_CERT: ----- BEGIN CERTIFICATE -----[blanks no CRLF] [First line of
> base64 encoded data] [ blanks no CRLF ] [Second line of base64 encoded data]
> ..... ---- END CERTIFICATE -----
>
>
>
>
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Apache and client certs
Posted by toadie D <to...@gmail.com>.
It is possible to use reverse proxy to pass a PEM Encoded Certificate as a
HTTP header to a backend server.
Make sure you have this directive in your config file
SSLOptions +ExportCertData
Then use mod_headers to set the header
RequestHeader MY_CLIENT_CERT %{SSL_CLIENT_CERT}s
You can find more info here
http://httpd.apache.org/docs/2.2/mod/mod_ssl.html and
here http://httpd.apache.org/docs/2.2/mod/mod_headers.html
One caveat, depending on which version of apache you use (2.0.x or 2.2.x),
the PEM encoded Certificate may across a bit strange (ie. not conforming to
multiline HTTP header). So you may see your header looking like this
MY_CLIENT_CERT: ----- BEGIN CERTIFICATE -----[blanks no CRLF] [First line of
base64 encoded data] [ blanks no CRLF ] [Second line of base64 encoded data]
..... ---- END CERTIFICATE -----
Re: [users@httpd] Apache and client certs
Posted by Serge Dubrouski <se...@gmail.com>.
I've been watching this forum for sometime and this question appeared here
several times. So far nobody posted a solution that would allow Apache
working as proxy to pass client certificate to a backend server. The only
worked way was Apache (2.2.3) + mod_jk + Tomcat which isn't applicable to
your case because you use WebSphere. I don't know if WebSphere supports AJP
connectors, if it does you can try mod_jk. Otherway you can extract
necessary fields from client cert and put them into environment (I suppose
you use *NIX platform) then you can read them from your Java application.
On 12/29/06, Manuela.Vorazzo@ssb.it <Ma...@ssb.it> wrote:
>
>
> Probably I've to modify my application if there is no other way to send
> all client certificate info to my application server via proxy reverse.
>
> Actually the web application on WebSphere is using
> javax.net.ssl.peer_certificates and then it extracts the first OU field.
>
> How can I display the entire content of my request (all the data I send to
> the application server with the header too)?
> I've tried setting Loglevel debug in my webserver configuration file but
> in my log I cannot recognise such information.
>
> Please let me know
>
> ManuciaoThanks!
>
>
>
>
>
> *Christian Gottschalch <ma...@llbc.de>*
>
> 28/12/2006 10.53 Please respond to
> users@httpd.apache.org
>
> To
> users@httpd.apache.org cc
>
> Subject
> Re: [users@httpd] Apache and client certs
>
>
>
>
>
>
> if you use Apache Reverse Proxy, then SSL Session will be terminated at
> the Reverse Proxy and the SSL Authentication / verification is done by
> reverse proxy
>
> to transport some certificate information to your WebSphere can use:
>
> RequestHeader set "HTTP_USER_ID" %{SSL_CLIENT_S_DN_CN}e
>
> The WebSphere Application now can authorize the user based on http
> header "HTTP_USER_ID", but your application must be able to.
>
> You also may have a look at
> http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#forwardreverse
>
> regards
>
> Manuela.Vorazzo@ssb.it schrieb:
> >
> > Hello everyone!
> > I've an apache 2.2 WebServer that is working as a reverse proxy for a
> > WebSphere application server that is on a separate machine.
> >
> > Now I have a web application that need an information that is included
> > in a client certificate field (OU).
> >
> > I would like to know if, with apache, is possible to obtain a
> > configuration where the webserver requires the client cert but doesn't
> > verify it and pass it to the application server that can verify it.
> >
> > I have such a configuration with IBM http Server. Here there is a
> > directive in the http server configuration file that let you specify
> > "passthrough" value for client cert.
> >
> >
> > Please let me know!
> >
> > Thanks in advance
> >
> > Manuela Vorazzo
> >
> > \
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
>
Re: [users@httpd] Apache and client certs
Posted by Ma...@ssb.it.
Probably I've to modify my application if there is no other way to send
all client certificate info to my application server via proxy reverse.
Actually the web application on WebSphere is using
javax.net.ssl.peer_certificates and then it extracts the first OU field.
How can I display the entire content of my request (all the data I send to
the application server with the header too)?
I've tried setting Loglevel debug in my webserver configuration file but
in my log I cannot recognise such information.
Please let me know
ManuciaoThanks!
Christian Gottschalch <ma...@llbc.de>
28/12/2006 10.53
Please respond to
users@httpd.apache.org
To
users@httpd.apache.org
cc
Subject
Re: [users@httpd] Apache and client certs
if you use Apache Reverse Proxy, then SSL Session will be terminated at
the Reverse Proxy and the SSL Authentication / verification is done by
reverse proxy
to transport some certificate information to your WebSphere can use:
RequestHeader set "HTTP_USER_ID" %{SSL_CLIENT_S_DN_CN}e
The WebSphere Application now can authorize the user based on http
header "HTTP_USER_ID", but your application must be able to.
You also may have a look at
http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#forwardreverse
regards
Manuela.Vorazzo@ssb.it schrieb:
>
> Hello everyone!
> I've an apache 2.2 WebServer that is working as a reverse proxy for a
> WebSphere application server that is on a separate machine.
>
> Now I have a web application that need an information that is included
> in a client certificate field (OU).
>
> I would like to know if, with apache, is possible to obtain a
> configuration where the webserver requires the client cert but doesn't
> verify it and pass it to the application server that can verify it.
>
> I have such a configuration with IBM http Server. Here there is a
> directive in the http server configuration file that let you specify
> "passthrough" value for client cert.
>
>
> Please let me know!
>
> Thanks in advance
>
> Manuela Vorazzo
>
> \
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Apache and client certs
Posted by Christian Gottschalch <ma...@llbc.de>.
if you use Apache Reverse Proxy, then SSL Session will be terminated at
the Reverse Proxy and the SSL Authentication / verification is done by
reverse proxy
to transport some certificate information to your WebSphere can use:
RequestHeader set "HTTP_USER_ID" %{SSL_CLIENT_S_DN_CN}e
The WebSphere Application now can authorize the user based on http
header "HTTP_USER_ID", but your application must be able to.
You also may have a look at
http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#forwardreverse
regards
Manuela.Vorazzo@ssb.it schrieb:
>
> Hello everyone!
> I've an apache 2.2 WebServer that is working as a reverse proxy for a
> WebSphere application server that is on a separate machine.
>
> Now I have a web application that need an information that is included
> in a client certificate field (OU).
>
> I would like to know if, with apache, is possible to obtain a
> configuration where the webserver requires the client cert but doesn't
> verify it and pass it to the application server that can verify it.
>
> I have such a configuration with IBM http Server. Here there is a
> directive in the http server configuration file that let you specify
> "passthrough" value for client cert.
>
>
> Please let me know!
>
> Thanks in advance
>
> Manuela Vorazzo
>
> \
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] Apache and client certs
Posted by Ma...@ssb.it.
Hello everyone!
I've an apache 2.2 WebServer that is working as a reverse proxy for a
WebSphere application server that is on a separate machine.
Now I have a web application that need an information that is included in
a client certificate field (OU).
I would like to know if, with apache, is possible to obtain a
configuration where the webserver requires the client cert but doesn't
verify it and pass it to the application server that can verify it.
I have such a configuration with IBM http Server. Here there is a
directive in the http server configuration file that let you specify
"passthrough" value for client cert.
Please let me know!
Thanks in advance
Manuela Vorazzo
\
Re: [users@httpd] SSO on Apache
Posted by Davide Bianchi <da...@onlyforfun.net>.
Gayal wrote:
> What are the possible Single Sign On ways available in Apache to
> authenticate users from a Domain Controller.
Use the ldap_auth module and point it to your Domain Controller.
Davide
--
"Microsoft technology" -- isn't that an oxymoron?
-- Gareth Barnard
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org