You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by mdn teo <md...@gmail.com> on 2008/06/30 18:25:09 UTC

[users@httpd] SSLusername and Authentication

Hi,

I'm working with mod_authnz_ldap, mod_ssl authenticating with certificates
and I've got some questions.
This is my situation (some directives are omitted)

------------------------------------------------------------------------------------------------
SSLVerifyClient require
SSLOptions +ExportCertData +StdEnvVars +StrictRequire +FakeBasicAuth

<Location /private>
        SSLRequireSSL
        AuthType basic
        AuthName "private area"
        AuthzLDAPAuthoritative off
        AuthBasicProvider       ldap
        AuthLDAPBindDN          uid=myuser,dc=example,dc=com
        AuthLDAPBindPassword    mypassword
        AuthLDAPUrl             "
ldap://myldaphost:389/ou=users,dc=example,dc=com?subjectDN?sub?(objectclass=<ldap://myldaphost:389/ou=users,dc=example,dc=com?subjectDN?sub?(objectclass>
*)"
        Require ldap-attribute employeeType=active
</Location>
------------------------------------------------------------------------------------------------

This configuration is working, the user in found in LDAP searching for his
"subjectDN", as set by the option "+FakeBasicAuth", but I want to make the
LDAP SEARCH not with the subjectDN, but other fields of the certificate.

If I use these options:
------------------------------------------------------------------------------------------------
SSLVerifyClient require
 SSLUserName SSL_CLIENT_S_DN_CN
SSLOptions +ExportCertData +StdEnvVars +StrictRequire -FakeBasicAuth

<Location /private>
        SSLRequireSSL
        AuthType basic
        AuthName "private area"
        AuthzLDAPAuthoritative off
        AuthBasicProvider       ldap
        AuthLDAPBindDN          uid=myuser,dc=example,dc=com
        AuthLDAPBindPassword    mypassword
        AuthLDAPUrl             "
ldap://myldaphost:389/ou=users,dc=example,dc=com?cn?sub?(objectclass=*)"
        Require ldap-attribute employeeType=active
</Location>
------------------------------------------------------------------------------------------------

The mod_ssl does his work, as in my log files I see the "CN" logges as "%u",
but as soon as I call "/private", the "%u" becomes an empty variable and I
can't use it in the next authentication module.
Is there something I'm missing?

Second question is: is it possible to use Environment variables in the
directives AuthLDAPUrl, "require ldap-filter" or "require ldap-attribute"?
Something like this:
------------------------------------------------------------------------------------------------
AuthLDAPUrl             "
ldap://myldaphost:389/ou=users,dc=example,dc=com?subjectDN?sub?(mail=%{SSL_CLIENT_S_DN_Email
)"
or
Require ldap-filter
"(&(mail=%{SSL_CLIENT_S_DN_Email})(CN=%{SSL_CLIENT_S_DN_CN}))"
or
Require ldap-attribute mail=%{SSL_CLIENT_S_DN_Email}
------------------------------------------------------------------------------------------------

Last question is: As described in
http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#ssloptions, regarding
"fakebasicauth", the password for the user must be set to "password", is it
strictly necessary? or is there a way to set a different password, or
verify issuerDN and subjectDN, against a fake password?

Re: [users@httpd] SSLusername and Authentication

Posted by Eric Covener <co...@gmail.com>.

On Mon, Jun 30, 2008 at 4:50 PM, mdn teo <md...@gmail.com> wrote:
> It works, I see the Username in my log files set as the field I choose with
> "SSLusername". But the field gets empty as I use another module like
> mod_authn_ldap
>  http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslusername "Note that
> this directive has no effect if the FakeBasic option is used "
>

Sorry, never saw that alternative to fakebasicauth before.  I don't
know how it's supposed to interop with basic auth.

-- 
Eric Covener
covener@gmail.com

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] SSLusername and Authentication

Posted by mdn teo <md...@gmail.com>.

 It works, I see the Username in my log files set as the field I choose with
"SSLusername". But the field gets empty as I use another module like
mod_authn_ldap
http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslusername "Note that
this directive has no effect if the FakeBasic option is used "



>
>
> ---------- Forwarded message ----------
> From: Eric Covener <co...@gmail.com>
> Date: Mon, Jun 30, 2008 at 6:37 PM
> Subject: Re: [users@httpd] SSLusername and Authentication
> To: users@httpd.apache.org
>
>
> On Mon, Jun 30, 2008 at 12:25 PM, mdn teo <md...@gmail.com> wrote:
> > SSLOptions +ExportCertData +StdEnvVars +StrictRequire -FakeBasicAuth
> >
>
> If you turn off SSLFakeBasicAuth, how do you expect any field from the
> cert to be used for the username?
>
> --
> Eric Covener
> covener@gmail.com
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
>

Re: [users@httpd] SSLusername and Authentication

Posted by Eric Covener <co...@gmail.com>.

On Mon, Jun 30, 2008 at 12:25 PM, mdn teo <md...@gmail.com> wrote:
> SSLOptions +ExportCertData +StdEnvVars +StrictRequire -FakeBasicAuth
>

If you turn off SSLFakeBasicAuth, how do you expect any field from the
cert to be used for the username?

-- 
Eric Covener
covener@gmail.com

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org