My Favourites
opensubscriber
   Find in this group all groups
Home     Log In     Sign Up     FAQ    
 
Unknown more information…
d : dev@httpd.apache.org 8 September 2009 • 11:09PM -0400

Re: X.509 client certificates and LDAP authorization
by Graham Leggett

REPLY TO AUTHOR
 
REPLY TO GROUP



Udo Rader wrote:

> Maybe a more concrete sample can help clarify what I am talking about,
> here's my approximate setup:
>
> <Location /fooBar>
>   SSLVerifyClient require
>   SSLRequireSSL
>
>   SSLOptions +FakeBasicAuth
>   AuthName "Snake Oil Authentication"
>   AuthType Basic
>   AuthBasicProvider ldap
>   AuthLDAPRemoteUserAttribute uid
>
>   AuthLDAPURL ldap://127.0.0.1/dc=example,dc=com?subjectDN?one
>   require valid-user
> </Location>

Right, so you're trying to authenticate twice, first using certs, then
using LDAP, and you're not trying to authorise at all ("require
valid-user").

That it doesn't do (yet), but shouldn't be hard to implement. mod_ssl
needs to signal that the user has been successfully authenticated using
a cert, and mod_authnz_ldap needs to respond to the signal that the user
has been successfully authenticated using a cert, and skip the password
check if so.

Regards,
Graham
--
Bookmark with:

Delicious   Digg   reddit   Facebook   StumbleUpon

Related Messages

opensubscriber is not affiliated with the authors of this message nor responsible for its content.
© opensubscriber 2010
All rights reserved.

Alternate link - Alternate link