[...] There's an old thread on this same
subject, and a module, that you can find at
https://sourceforge.net/projects/modauthcertific/
That's one of the prior examples I looked at in coming up with this
approach. IIRC, it depended on a rigidly defined LDAP schema.
Dictating the schema is often not an option for existing environments.
I would suggest collecting the design decisions, and the
interactions with authn/authz/access control in trunk
somewhere so people can follow without too much investment.
Include config examples/use cases.
Will do. I definitely haven't addressed documentation of any of this
yet. Is there a template or pattern for config examples and use cases?
A pointer to one or more well-done use cases would suffice.
The contentious parts for these things are usually:
How does the cert map to r-user?
I stayed with the spirit of mod_ssl here. By default r-user becomes the
certificate subject DN ( SSL_CLIENT_S_DN ). If the SSLUserName
directive is employed, use that instead. The advantage of this approach
is that it should work with almost every LDAP implementation--those
where the certificate subject is also the LDAP object's DN, and those
where a component of the subject--such as the CN--must be matched to an
attribute of the LDAP object.
As I noted in the bugzilla entry, though, I had to tweak mod_ssl to
return the DN in RFC2253 format. The backwards compatible thing to do
is to configure mod_ssl to optionally return the DN in RFC2253 syntax OR
add a new SSL variable that has the LDAP-formatted DN, and then use
SSLUserName to select that variable when needed. [The current behavior
in mod_ssl used to retrieve the subject or issuer DN uses a method
formally deprecated in OpenSSL--of course, it's not likely that it'll be
going away any time soon.]
Examples:
1)
# Find the user's entry in LDAP by matching a component of the
subject certificate to an attribute in LDAP
SSLUserName SSL_CLIENT_S_DN_UID
AuthLLDAPUrl
ldaps://ldap.example.com/dc=example,dc=com?uid,fullname?sub
# For AuthType Certificate, mod_authnz_ldap will do a subtree search
# from dc=example,dc=com for ((uid=value of
SSL_CLIENT_S_DN_UID)(objectclass=*))
2)
# Find the user's entry in LDAP by the full certificate subject DN
AuthLDAPUrl ldaps://ldap.example.com/dc=example,dc=com?fullname?sub
AuthLDAPRemoteUserIsDN
# Currently, I'm overloading the semantics of AuthLDAPRemoteUserIsDN:
# when AuthType is Certificate this directive causes us to do an
# LDAP_SCOPE_BASE search for r-user, expected to be the full DN in
RFC2253
# this is guaranteed to return either 0 or 1 directory objects.
# In this scenario fullname is still retrieved and placed in the
AUTHENTICATE_FULLNAME
# environment variable; it is not used to search for the LDAP object.
Likewise the
# scope parameter of the LDAP URL is ignored for authentication.
How does one express that basic-auth-if-no-certificate
(AuthType foo bar, or does the cert module pre-empty basic
auth via some other config mechanism) What if anything
changes in authorization providers (hopefully nothing)
In effect, nothing changes in the auhorization providers. AuthType
Certificate Basic does exactly what you would hope, for example:
AuthType Certificate Basic
AuthName Certificate authentication with Basic fallback
AuthCertificateProvider ldap
AuthBasicProvider file
# Allow fallback from mod_authnz_ldap if user is not found in LDAP;
compare to AuthBasicAuthoritative
AuthCertificateAuthoritative off
I say in effect, because to simplify implementation, I reused the
existing method. For Basic auth, there's no logical change. For
Certificate auth, I update behavior as appropriate.
Unfortunately, doing this right in trunk probably makes it
unbackportable. Getting it by hook or by crook in a
I have a working 2.2 implementation; I guess I'm signing up to distinct
changes per-branch, rather than a trunk commit and a 2.2 backport. I'm
hoping that's not as bad as one might think at first blush--where I've
made changes to the single authorization method in 2.2, I'd just have to
distribute those changes appropriately to each distinct Require ldap-*
directive method in the trunk.
standalone 2.2 module might mean making it look like basic
auth internally and would probably not be suitable for the
base distribution.
I'm not sure what you mean; I definitely want to avoid doing anything
unsuitable. What do I need to guard against?