You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2012/08/13 06:23:20 UTC
[Bug 48780] Enable mod_authnz_ldap to accept valid client
certificates as sufficient authentication
https://issues.apache.org/bugzilla/show_bug.cgi?id=48780
--- Comment #11 from Esmond Pitt <es...@bigpond.com> ---
It should be noted that much of this can be implemented with the existing
implementation. See the config extract below. Provided the LDAP user object
concerned (a) has a password of 'password' as per +FakeBasicAuth and (b) has an
attribute which matches the SubjectDN of the client certificate, the client
will be authenticated correctly.
However the user's SubjectDN-valued attribute needs to be in the strange format
returned by OpenLDAP, so it will match, so it actually can't be a proper LDAP
DN-valued attribute (such as 'seeAlso'). And it also can't in general be the DN
of the object itself, as the SubjectDN of the certificate is beyond the
server's control and is most unlikely to agree with the LDAP tree's root.
So to weigh in on the above discussion:
1. A way is needed to avoid the bind step for directories that support that. I
personally don't have this requirement and I'm not aware what it actually
amounts to: I'm perfectly happy with a password of 'password', and I can
configure the user in LDAP via the password policy from being able to break it.
2. A way is needed to acquire the SubjectDN of the certificate in proper X.500
DN format, and a configuration directive to enable it, or perhaps another env
variable.
3. A way is needed to search the user subtree on an arbitrary attribute using
that DN as the target value. We already have this part, in AuthLDAPURL, we just
don't have a way of getting (2) or feeding the result into it.
4. The authenticated user is then subject to whatever require
valid-user/ldap-user/ldap-group constraints may be defined, as per my example
below.
<Location /cRegister/WestNet >
Order Deny,Allow
Deny from none
Allow from all
Satisfy All
# Fake LDAP Basic authentication,
# after
http://httpd.apache.org/docs/2.2/ssl/ssl_howto.html#certauthenticate
SSLOptions +OptRenegotiate +StdEnvVars +StrictRequire +FakeBasicAuth
SSLVerifyClient require
AuthBasicProvider ldap
AuthLDAPBindDN
"uid=apache-httpd,ou=Applications,ou=System,dc=example,dc=com"
AuthLDAPBindPassword "xyz"
# Lookup the SubbjectDN of the certificate in OpenSSL format in the 'o'
attribute.
# The OpenSSL format for this is e.g. /C=US/ST=CA/L=SF/O=WestNet
Inc./OU=Unknown/CN=WestNet Inc.,
# which sadly isn't a valid LDAP DN, even though they are both
ultimately X.509 DNs.
# So we have to match on a non-DN-valued attribute, in this case 'o'.
# So a target entry that satisfies all this must:
# 1. Be an inetOrgPerson
# 2. Be under ou=Users,dc=example,dc=com.
# 3. Have a password of 'password', see the documentation for
FakeBasicAuth.
# 4. Have an 'o' attribute that matches the SubjectDN of the
certificate in OpenSSL format as above.
# 5. That subject must be a member of the Westnet role.
AuthLDAPURL
ldap://localhost/ou=Users,dc=verismartlabs,dc=com?o?sub?(objectClass=inetOrgPerson)
# Require that such a user exists
Require valid-user
# Require that such a user is a member of the Westnet role.
AuthLDAPGroupAttribute roleOccupant
Require ldap-group cn=WestNet,cn=Roles,dc=verismartlabs,dc=com
</Location>
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org