You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Sebastian Reitenbach <se...@l00-bugdead-prods.de> on 2008/12/15 09:55:25 UTC

combine client certificate authentication with ldap based authentication

Hi,

I want to authenticate users on apache. In case they have a valid x509 
client certificate in their browser for authentication, then that should be 
sufficient. In case the client does not have such a certificate, the user 
should be able to authenticate via username/password against ldap.

I got both working on its own, but when I try to combine both, and I have a 
x509 certificate, then it still asks for a username/password.

<VirtualHost _default_:443>
    ServerName test.intern
    HostnameLookups Off

    SSLEngine on
    SSLCertificateFile /etc/apache2/certs/server.crt
    SSLCertificateKeyFile /etc/apache2/certs/server.key
    SSLCertificateChainFile /etc/apache2/certs/ca.crt
    SSLCACertificateFile /etc/apache2/certs/ca.crt


    CustomLog /var/log/apache2/ssl_test_request_log   ssl_combined

    <Location /ssl>
        Order deny,allow
        Deny from all
        Allow from 127.0.0.1

        Satisfy              any

        SSLRequireSSL

        #SSLVerifyClient optional
        SSLVerifyClient require
        SSLVerifyDepth 9
        SSLOptions +FakeBasicAuth +StrictRequire
        AuthUserFile         /etc/apache2/conf.d/httpd.passwd
        require              valid-user

        AuthType Basic
        AuthBasicProvider "ldap"
        AuthName "TEST Login"
        AuthLDAPUrl "ldap://ldap:389/ou=people,dc=intern"
        AuthzLDAPAuthoritative off
        require ldap-user testuser
    </Location>
</VirtualHost>


I'm not sure, when I read the manual, whether the Satisfy any is relevant 
for my case at all.

Any pointer into the right direction is highly appreciated.

kind regards
Sebastian


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: combine client certificate authentication with ldap based authentication

Posted by Eric Covener <co...@gmail.com>.

On Mon, Dec 15, 2008 at 3:55 AM, Sebastian Reitenbach
<se...@l00-bugdead-prods.de> wrote:
> Hi,
>
> I want to authenticate users on apache. In case they have a valid x509
> client certificate in their browser for authentication, then that should be
> sufficient. In case the client does not have such a certificate, the user
> should be able to authenticate via username/password against ldap.
>
> I got both working on its own, but when I try to combine both, and I have a
> x509 certificate, then it still asks for a username/password.
>
> <VirtualHost _default_:443>
>    ServerName test.intern
>    HostnameLookups Off
>
>    SSLEngine on
>    SSLCertificateFile /etc/apache2/certs/server.crt
>    SSLCertificateKeyFile /etc/apache2/certs/server.key
>    SSLCertificateChainFile /etc/apache2/certs/ca.crt
>    SSLCACertificateFile /etc/apache2/certs/ca.crt
>
>
>    CustomLog /var/log/apache2/ssl_test_request_log   ssl_combined
>
>    <Location /ssl>
>        Order deny,allow
>        Deny from all
>        Allow from 127.0.0.1
>
>        Satisfy              any
>
>        SSLRequireSSL
>
>        #SSLVerifyClient optional
>        SSLVerifyClient require
>        SSLVerifyDepth 9
>        SSLOptions +FakeBasicAuth +StrictRequire
>        AuthUserFile         /etc/apache2/conf.d/httpd.passwd
>        require              valid-user
>
>        AuthType Basic
>        AuthBasicProvider "ldap"
>        AuthName "TEST Login"
>        AuthLDAPUrl "ldap://ldap:389/ou=people,dc=intern"
>        AuthzLDAPAuthoritative off
>        require ldap-user testuser
>    </Location>
> </VirtualHost>
>
>
> I'm not sure, when I read the manual, whether the Satisfy any is relevant
> for my case at all.
>
> Any pointer into the right direction is highly appreciated.

I think to test the FakeBasic stuff first you'd need:

AuthBasicProvider file ldap

But I also think users would be able to type in cert details + the
magic FakeBasic password.  Additionaly, for every user in the file, if
they didn't use a cert it would never be let in because the "file"
provider would see that they were actually in the file and not
DECLINE.

Maybe SSLUsername instead of FakeBasic would be another avenue?

http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslusername

I do think there is just a littlte bit missing in Apache to let this
work -- mod_ssl might need to participate a little in the basic auth
stuff to let some of the fancy configs work.

Please let us know how it works out!

-- 
Eric Covener
covener@gmail.com

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org