You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Andrew Young <an...@an3e.org> on 2013/12/13 18:55:42 UTC
[users@httpd] SSL Authentication and LDAP Authorization
Can one configure httpd to authenticate with SSL and authorize with LDAP?
I have not found a way of configuring mod_authnz_ldap to just authorize.
Using Ubuntu 12.04.3 LTS, Apache/2.2.22, I have mod_ssl authenticating
just fine with--
SSLVerifyClient require
SSLVerifyDepth 10
<Location />
SSLRequire %{SSL_CLIENT_S_DN_O} eq "MyOrganization"
but I need to add authorization that restricts access to department
members known only through our LDAP directory. I want something on the
order of--
SSLUserName SSL_CLIENT_S_DN_CN
AuthLDAPURL
"ldap://directory.example.org/ou=employees,ou=people,dc=example,dc=org?cn
Require ldap-attribute department="550"
It seems that mod_authnz_ldap just must authenticate too using the LDAP
password through AuthType Basic.
In my search for an answer I did find a module that advertizes to do
what I want--
http://stackoverflow.com/questions/7635380/apache-ssl-client-certificate-ldap-authorizations
but I prefer not compiling a custom version of httpd.
Thanks, Andrew
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] SSL Authentication and LDAP Authorization
Posted by Eric Covener <co...@gmail.com>.
On Fri, Dec 13, 2013 at 12:55 PM, Andrew Young <an...@an3e.org> wrote:
> Can one configure httpd to authenticate with SSL and authorize with LDAP?
> I have not found a way of configuring mod_authnz_ldap to just authorize.
SSLUserName does not perform Apache authentication, you could try
SSLFakeBasicAuth, but it's pretty hokey.
I think you need to add a small module for this, there are several.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org