Re: X.509 client certificates and LDAP authorization

Tue, 08 Sep 2009 07:10:17 -0700 

Graham Leggett wrote:

Udo Rader wrote:


I am just trying to set up a X.509 client certificates + LDAP based
authorizaton system.

I've setup all pieces best to my knowledge (mod_ssl, mod_auth_basic,
mod_auth_ldap), but I am still having problems to connect to our LDAP
server because "SSLOption FakeBasicAuth" still explicically requires
"password" as password for each user in order to successfully
authenticate against mod_auth_ldap.


Authenticate or authorise?

Are you trying to authenticate the user using SSL certs, and then
authorise the user using LDAP? Or do you want users to be authenticated
both by SSL client certs and by LDAP?

Authenticate: is the user who the user says they are?
Authorise: is the user allowed to access the resource?


Thanks for the clarification, I am quite aware of that :-)
Maybe a more concrete sample can help clarify what I am talking about, here's my approximate setup: 

<Location /fooBar>
  SSLVerifyClient require
  SSLRequireSSL

  SSLOptions +FakeBasicAuth
  AuthName "Snake Oil Authentication"
  AuthType Basic
  AuthBasicProvider ldap
  AuthLDAPRemoteUserAttribute uid

  AuthLDAPURL ldap://127.0.0.1/dc=example,dc=com?subjectDN?one
  require valid-user
</Location>
For obvious reasons, authentication fails, because mod_ssl sends "password" as the password for any "faked" basic auth user to the underlying authentication mod_authzn_ldap module, see the "FakeBasicAuth" section here [1].
And of course, it is impossible to set "password" as password for everyone in the LDAP DIT.
What we basically "needed" was our clients authenticate using their certificates and then have mod_authnz_ldap fetch their user names (uid) based on the certificates' subjects (or similar).
But both the problem and possible solution scenarios were excellently described in the OP about one year ago, see [2].
There are other, third party modules dealing with this problem, e.g mod_authz_ldap [3] but I want to circumvent them if possible. 


[1] http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#ssloptions
[2] http://phpot.bestsolution.at/nanourl/bbsy2
[3] http://authzldap.othello.ch/

--
Udo Rader, CTO
http://www.bestsolution.at
http://riaschissl.blogspot.com

Reply via email to