Well, this would require quite big changes to all authentication modules, i guess. I think, the better way would be to skip authentication completely in mod_auth_basic in case the user is set in the request object, because the user is already authenticated somehow through mod_ssl.
-----Ursprüngliche Nachricht----- Von: Graham Leggett [mailto:[EMAIL PROTECTED] Gesendet: Freitag, 4. Juli 2008 11:14 An: [email protected] Betreff: Re: Client authorization against LDAP using client certificates Müller Johannes wrote: > we want to use client authorization against LDAP using client certificates on > Apache webserver 2.2. > Unfortunately this is not possible with Apache webserver at the current state > of development. > There have been third party modules (ModXAuthLDAP, mod_authz_ldap) in the > past which did this task quite well. > But they haven't been updated for years and therefore do not work with httpd > newer than 2.0. > Therefore my company has put some effort in developing a reasonable solution > for its needs. I think the thing that is missing is that the FakeBasicAuth option within mod_ssl should flag the request to say that a password isn't necessary. mod_authnz_ldap (and others) should then be taught to recognise this flag within the request, and not test the password if this is the case. Regards, Graham --
