[users@httpd] SSL Authentication and LDAP Authorization

[Andrew Young <an...@an3e.org>]

Can one configure httpd to authenticate with SSL and authorize with LDAP?
I have not found a way of configuring mod_authnz_ldap to just authorize.

Using Ubuntu 12.04.3 LTS, Apache/2.2.22, I have mod_ssl authenticating 
just fine with--
   SSLVerifyClient require
   SSLVerifyDepth  10
   <Location />
     SSLRequire    %{SSL_CLIENT_S_DN_O} eq "MyOrganization"

but I need to add authorization that restricts access to department 
members known only through our LDAP directory.  I want something on the 
order of--

   SSLUserName SSL_CLIENT_S_DN_CN
   AuthLDAPURL 
"ldap://directory.example.org/ou=employees,ou=people,dc=example,dc=org?cn
   Require ldap-attribute department="550"

It seems that mod_authnz_ldap just must authenticate too using the LDAP 
password through AuthType Basic.

In my search for an answer I did find a module that advertizes to do 
what I want--
http://stackoverflow.com/questions/7635380/apache-ssl-client-certificate-ldap-authorizations

but I prefer not compiling a custom version of httpd.

Thanks, Andrew



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] SSL Authentication and LDAP Authorization

[Eric Covener <co...@gmail.com>]

On Fri, Dec 13, 2013 at 12:55 PM, Andrew Young <an...@an3e.org> wrote:
> Can one configure httpd to authenticate with SSL and authorize with LDAP?
> I have not found a way of configuring mod_authnz_ldap to just authorize.

SSLUserName does not perform Apache authentication, you could try
SSLFakeBasicAuth, but it's pretty hokey.

I think you need to add a small module for this, there are several.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org