All: I just completed an end-to-end test demonstrating authentication and simple ["Require valid-user"] authorization mapping an X.509 certificate to an LDAP entry using my new "mod_auth_cert" module. The module implements "AuthType Certificate." I believe the Require ldap-* directives will work as well. (I didn't have to make any changes in the authorization side of mod_authnz_ldap.c.) By extending mod_authnz_ldap, I've avoided the limitations of various 3rd party solutions such as dependence upon specific LDAP schemas. The only requirement my solution imposes is that an attribute in the user's LDAP entry must match the subject of their SSL client certificate. In support of that requirement--at least as implemented in my environment--I'm also adding a new optional flag to mod_ssl that will render the certificate subject in RFC 2253 [XN_FLAGS_RFC2253] format. (By default the current [reversed DN, slash-delimited] rendering of the certificate subject will be used.)
I have to go through some machinations to move the patch from my integration test environment out to the Internet for posting to bugzilla. Once I do, I'll at least take a stab at adding documentation and update my existing feature request with the final proposed patch. --Pete