SSLusername and Authentication

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: users@xxxxxxxxxxxxxxxx
Subject: SSLusername and Authentication
From: "mdn teo" <mdnteo@xxxxxxxxx>
Date: Mon, 30 Jun 2008 18:25:09 +0200
Reply-to: users@xxxxxxxxxxxxxxxx

Hi,

I'm working with mod_authnz_ldap, mod_ssl authenticating with certificates and I've got some questions.

This is my situation (some directives are omitted)

------------------------------------------------------------------------------------------------

SSLVerifyClient require

SSLOptions +ExportCertData +StdEnvVars +StrictRequire +FakeBasicAuth

SSLRequireSSL

        AuthType basic
        AuthName "private area"
        AuthzLDAPAuthoritative off

AuthBasicProvider ldap
AuthLDAPBindDN uid=myuser,dc=example,dc=com

AuthLDAPBindPassword mypassword

AuthLDAPUrl "ldap://myldaphost:389/ou=users,dc=example,dc=com?subjectDN?sub?(objectclass=*)"

Require ldap-attribute employeeType=active

</Location>

------------------------------------------------------------------------------------------------

This configuration is working, the user in found in LDAP searching for his "subjectDN", as set by the option "+FakeBasicAuth", but I want to make the LDAP SEARCH not with the subjectDN, but other fields of the certificate.

If I use these options:

------------------------------------------------------------------------------------------------

SSLVerifyClient require

SSLUserName SSL_CLIENT_S_DN_CN

SSLOptions +ExportCertData +StdEnvVars +StrictRequire -FakeBasicAuth

SSLRequireSSL

        AuthType basic
        AuthName "private area"
        AuthzLDAPAuthoritative off

AuthBasicProvider ldap
AuthLDAPBindDN uid=myuser,dc=example,dc=com

AuthLDAPBindPassword mypassword

AuthLDAPUrl "ldap://myldaphost:389/ou=users,dc=example,dc=com?cn?sub?(objectclass=*)"

Require ldap-attribute employeeType=active

</Location>

------------------------------------------------------------------------------------------------

The mod_ssl does his work, as in my log files I see the "CN" logges as "%u", but as soon as I call "/private", the "%u" becomes an empty variable and I can't use it in the next authentication module.

Is there something I'm missing?

Second question is: is it possible to use Environment variables in the directives AuthLDAPUrl, "require ldap-filter" or "require ldap-attribute"?

Something like this:

------------------------------------------------------------------------------------------------

AuthLDAPUrl "ldap://myldaphost:389/ou=users,dc=example,dc=com?subjectDN?sub?(mail=%{SSL_CLIENT_S_DN_Email)"

Require ldap-filter "(&(mail=%{SSL_CLIENT_S_DN_Email})(CN=%{SSL_CLIENT_S_DN_CN}))"

Require ldap-attribute mail=%{SSL_CLIENT_S_DN_Email}

------------------------------------------------------------------------------------------------

Last question is: As described in http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#ssloptions, regarding "fakebasicauth", the password for the user must be set to "password", is it strictly necessary? or is there a way to set a different password, or verify issuerDN and subjectDN, against a fake password?

Follow-Ups:
- Re: SSLusername and Authentication
  - From: Eric Covener

Prev by Date: Re: how to configure apache+ssl+mod_jk+tomcat
Next by Date: Re: SSLusername and Authentication
Previous by thread: [Fwd: Redirect URL with arguments]
Next by thread: Re: SSLusername and Authentication
Index(es):
- Date
- Thread

[Index of Archives] [Open SSH Users] [Linux ACPI] [Linux Kernel] [Linux Laptop] [Kernel Newbies] [Security] [Netfilter] [Bugtraq] [Squid] [Yosemite News] [MIPS Linux] [ARM Linux] [Linux Security] [Linux RAID] [Samba] [Video 4 Linux] [Device Mapper]