On 05 Nov 2014, at 11:04 AM, Kaspar Brand <[email protected]> wrote:
> Given that ssl_var_lookup() is available for use in other modules, and > provided that in addition SSL_CLIENT_S_DN_n, we would export an > additional variable with the chain length (SSL_CLIENT_CERT_CHAIN_LENGTH > or similar), wouldn't it be possible to do the manipulations required by > mod_authnz_ldap in that module? mod_ssl really seems the wrong place to > me for implementing application-specific requirements (such as these > "matryoshka doll"-style subject DNs). mod_authnz_ldap would also be the wrong place - the real place you would do such a thing is in the expression parser, which doesn’t (yet) have an ordered “foreach” concept that would map practically to the ssl variables. In addition this same capability needs to be built into other (non-web) servers, which won’t have the same level of expression-parser flexibility that httpd has. The problem I am trying to solve is to find a practical way to integrate an SSL client cert identity with LDAP, in such a way where I can say “we recognise this certificate is mapped to that capability”. I am struggling to find an accurate indicator of “this certificate” (as opposed to “this similar looking certificate with a different chain”). Annoyingly the simplest solution - a simple binary match on the cert - isn’t supported by certificateExactMatch in most LDAP servers. Is there another way to do this? Regards, Graham —
