Hi all,
I'm stuck with mapping a PKI ClientCertificate from a Smartcard to the corresponding Active Directory entry using the standard modules and functionality. The information of how to identify the user in AD is available in the ClientCertificate, but it seems in a not directly usable way. Somehow IIS (which is really the last resort) does it somehow with it's certificate mapping functionality. Probably by converting the Certificates to the same encoding, but that's just a guess. Here's the scenario.
1. Authentiaction is done by a ClientCertifikate (mod_ssl). The DN of the subject is
CN=joe meyer PKI 3423RI324
The last token is a unique employeeID. Of course the whole certificate is available in PEM encoding in the variable SSL_CLIENT_CERT
2.
As far as I understand the ldad_modules, for authorisation I need to first get the user object from AD (trying
with mod_authz_lpad) and then check for group membership. However, in AD
there are only two entries which can be found in the ClientCertificate:
The certificate itself as attribute userCertificate and the employeeID,
which is the last unique part of the CN. The CN in AD is a completely
different and unrelated, like JWDI2K.
My first attempt was to use the ClientCertificate as SSLUserName
SSLUserName SSL_CLIENT_CERT
...
AuthLDAPURL ldap://ldap.example.com/o=Example?userCertificate
This
didn't work. Actually I can only guess due to encoding differences.I
don't know how the certificate in AD is stored. ADSearcher (the Windows
tool) says as
octet string.
My second idea is to extract the unique
employeeID from the ClientCerficate and connect to AD via the attribute
employeeID. Now, I must confess it's my first go with Apache and I don't even know if it's conceptionally possible to set a custom global username based on environment variables and expressions. Or if the username is by purpose hidden and protected against such "nasty" hacks.
SSLUserName SSL_CLIENT_S_DN_CN (.SplitAndTakeTheLastToken ... How-To?) How is SSLUserName to an interally used UserName or REMOTE_USER related?
AuthLDAPURL ldap://ldap.example.com/o=Example?employeeID
Anyway,
I'm stuck. Is there a way to handle this by directives at all or do I
need to use any kind of programming interface to Apache? Unfortunately
I'm quite new to Apache. Are there ways apart from writing modules for
hooking up little scripts?
Cheers,
Jan