You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Sebastian Reitenbach <se...@l00-bugdead-prods.de> on 2008/12/15 09:55:25 UTC
combine client certificate authentication with ldap based authentication
Hi,
I want to authenticate users on apache. In case they have a valid x509
client certificate in their browser for authentication, then that should be
sufficient. In case the client does not have such a certificate, the user
should be able to authenticate via username/password against ldap.
I got both working on its own, but when I try to combine both, and I have a
x509 certificate, then it still asks for a username/password.
<VirtualHost _default_:443>
ServerName test.intern
HostnameLookups Off
SSLEngine on
SSLCertificateFile /etc/apache2/certs/server.crt
SSLCertificateKeyFile /etc/apache2/certs/server.key
SSLCertificateChainFile /etc/apache2/certs/ca.crt
SSLCACertificateFile /etc/apache2/certs/ca.crt
CustomLog /var/log/apache2/ssl_test_request_log ssl_combined
<Location /ssl>
Order deny,allow
Deny from all
Allow from 127.0.0.1
Satisfy any
SSLRequireSSL
#SSLVerifyClient optional
SSLVerifyClient require
SSLVerifyDepth 9
SSLOptions +FakeBasicAuth +StrictRequire
AuthUserFile /etc/apache2/conf.d/httpd.passwd
require valid-user
AuthType Basic
AuthBasicProvider "ldap"
AuthName "TEST Login"
AuthLDAPUrl "ldap://ldap:389/ou=people,dc=intern"
AuthzLDAPAuthoritative off
require ldap-user testuser
</Location>
</VirtualHost>
I'm not sure, when I read the manual, whether the Satisfy any is relevant
for my case at all.
Any pointer into the right direction is highly appreciated.
kind regards
Sebastian
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: combine client certificate authentication with ldap based authentication
Posted by Eric Covener <co...@gmail.com>.
On Mon, Dec 15, 2008 at 3:55 AM, Sebastian Reitenbach
<se...@l00-bugdead-prods.de> wrote:
> Hi,
>
> I want to authenticate users on apache. In case they have a valid x509
> client certificate in their browser for authentication, then that should be
> sufficient. In case the client does not have such a certificate, the user
> should be able to authenticate via username/password against ldap.
>
> I got both working on its own, but when I try to combine both, and I have a
> x509 certificate, then it still asks for a username/password.
>
> <VirtualHost _default_:443>
> ServerName test.intern
> HostnameLookups Off
>
> SSLEngine on
> SSLCertificateFile /etc/apache2/certs/server.crt
> SSLCertificateKeyFile /etc/apache2/certs/server.key
> SSLCertificateChainFile /etc/apache2/certs/ca.crt
> SSLCACertificateFile /etc/apache2/certs/ca.crt
>
>
> CustomLog /var/log/apache2/ssl_test_request_log ssl_combined
>
> <Location /ssl>
> Order deny,allow
> Deny from all
> Allow from 127.0.0.1
>
> Satisfy any
>
> SSLRequireSSL
>
> #SSLVerifyClient optional
> SSLVerifyClient require
> SSLVerifyDepth 9
> SSLOptions +FakeBasicAuth +StrictRequire
> AuthUserFile /etc/apache2/conf.d/httpd.passwd
> require valid-user
>
> AuthType Basic
> AuthBasicProvider "ldap"
> AuthName "TEST Login"
> AuthLDAPUrl "ldap://ldap:389/ou=people,dc=intern"
> AuthzLDAPAuthoritative off
> require ldap-user testuser
> </Location>
> </VirtualHost>
>
>
> I'm not sure, when I read the manual, whether the Satisfy any is relevant
> for my case at all.
>
> Any pointer into the right direction is highly appreciated.
I think to test the FakeBasic stuff first you'd need:
AuthBasicProvider file ldap
But I also think users would be able to type in cert details + the
magic FakeBasic password. Additionaly, for every user in the file, if
they didn't use a cert it would never be let in because the "file"
provider would see that they were actually in the file and not
DECLINE.
Maybe SSLUsername instead of FakeBasic would be another avenue?
http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslusername
I do think there is just a littlte bit missing in Apache to let this
work -- mod_ssl might need to participate a little in the basic auth
stuff to let some of the fancy configs work.
Please let us know how it works out!
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org