Technically what's being attempted here is a lookup rather than authentication.
The intention is to do a query using the cert info to get back the uid from LDAP
(as opposed to an LDAP connect with a password followed by a query).
Currently the LDAP code only provides Authentication and/or Authorization. It does
not provide a version of certificate-based LDAP authentication where SSL provides the
authentication and LDAP, trusting SSL's authn, only does the lookup/mapping via a
query (without password) to convert the cert info into uid value (or whatever attr
value they want) for use with authorization and downstream REMOTE_USER processing.
Paul J. Reder
On 09/08/2009 11:09 AM, Graham Leggett wrote:
> Udo Rader wrote:
>> Maybe a more concrete sample can help clarify what I am talking about,
>> here's my approximate setup:
>> <Location /fooBar>
>> SSLVerifyClient require
>> SSLOptions +FakeBasicAuth
>> AuthName "Snake Oil Authentication"
>> AuthType Basic
>> AuthBasicProvider ldap
>> AuthLDAPRemoteUserAttribute uid
>> AuthLDAPURL ldap://127.0.0.1/dc=example,dc=com?subjectDN?one
>> require valid-user
> Right, so you're trying to authenticate twice, first using certs, then
> using LDAP, and you're not trying to authorise at all ("require
> That it doesn't do (yet), but shouldn't be hard to implement. mod_ssl
> needs to signal that the user has been successfully authenticated using
> a cert, and mod_authnz_ldap needs to respond to the signal that the user
> has been successfully authenticated using a cert, and skip the password
> check if so.
Paul J. Reder
"The strength of the Constitution lies entirely in the determination of each
citizen to defend it. Only if every single citizen feels duty bound to do
his share in this defense are the constitutional rights secure."
-- Albert Einstein