Technically what's being attempted here is a lookup rather than authentication.
The intention is to do a query using the cert info to get back the uid from LDAP
(as opposed to an LDAP connect with a password followed by a query).
Currently the LDAP code only provides Authentication and/or Authorization. It
does
not provide a version of certificate-based LDAP authentication where SSL
provides the
authentication and LDAP, trusting SSL's authn, only does the lookup/mapping via
a
query (without password) to convert the cert info into uid value (or whatever
attr
value they want) for use with authorization and downstream REMOTE_USER
processing.
Paul J. Reder
On 09/08/2009 11:09 AM, Graham Leggett wrote:
Udo Rader wrote:
Maybe a more concrete sample can help clarify what I am talking about,
here's my approximate setup:
<Location /fooBar>
SSLVerifyClient require
SSLRequireSSL
SSLOptions +FakeBasicAuth
AuthName "Snake Oil Authentication"
AuthType Basic
AuthBasicProvider ldap
AuthLDAPRemoteUserAttribute uid
AuthLDAPURL ldap://127.0.0.1/dc=example,dc=com?subjectDN?one
require valid-user
</Location>
Right, so you're trying to authenticate twice, first using certs, then
using LDAP, and you're not trying to authorise at all ("require
valid-user").
That it doesn't do (yet), but shouldn't be hard to implement. mod_ssl
needs to signal that the user has been successfully authenticated using
a cert, and mod_authnz_ldap needs to respond to the signal that the user
has been successfully authenticated using a cert, and skip the password
check if so.
Regards,
Graham
--
--
Paul J. Reder
-----------------------------------------------------------
"The strength of the Constitution lies entirely in the determination of each
citizen to defend it. Only if every single citizen feels duty bound to do
his share in this defense are the constitutional rights secure."
-- Albert Einstein
