SSLusername and Authentication

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

I'm working with mod_authnz_ldap, mod_ssl authenticating with certificates and I've got some questions.
This is my situation (some directives are omitted)
 
------------------------------------------------------------------------------------------------
SSLVerifyClient require
SSLOptions +ExportCertData +StdEnvVars +StrictRequire +FakeBasicAuth
 
<Location /private>
        SSLRequireSSL
        AuthType basic
        AuthName "private area"
        AuthzLDAPAuthoritative off
        AuthBasicProvider       ldap
        AuthLDAPBindDN          uid=myuser,dc=example,dc=com
        AuthLDAPBindPassword    mypassword
        AuthLDAPUrl             "ldap://myldaphost:389/ou=users,dc=example,dc=com?subjectDN?sub?(objectclass=*)"
        Require ldap-attribute employeeType=active
</Location>
------------------------------------------------------------------------------------------------
 
This configuration is working, the user in found in LDAP searching for his "subjectDN", as set by the option "+FakeBasicAuth", but I want to make the LDAP SEARCH not with the subjectDN, but other fields of the certificate.
 
If I use these options:
------------------------------------------------------------------------------------------------
SSLVerifyClient require
SSLUserName SSL_CLIENT_S_DN_CN
SSLOptions +ExportCertData +StdEnvVars +StrictRequire -FakeBasicAuth
 
<Location /private>
        SSLRequireSSL
        AuthType basic
        AuthName "private area"
        AuthzLDAPAuthoritative off
        AuthBasicProvider       ldap
        AuthLDAPBindDN          uid=myuser,dc=example,dc=com
        AuthLDAPBindPassword    mypassword
        AuthLDAPUrl             "ldap://myldaphost:389/ou=users,dc=example,dc=com?cn?sub?(objectclass=*)"
        Require ldap-attribute employeeType=active
</Location>
------------------------------------------------------------------------------------------------
 
The mod_ssl does his work, as in my log files I see the "CN" logges as "%u", but as soon as I call "/private", the "%u" becomes an empty variable and I can't use it in the next authentication module.
Is there something I'm missing?  
 
Second question is: is it possible to use Environment variables in the directives AuthLDAPUrl, "require ldap-filter" or "require ldap-attribute"?
Something like this:
------------------------------------------------------------------------------------------------
AuthLDAPUrl             "ldap://myldaphost:389/ou=users,dc=example,dc=com?subjectDN?sub?(mail=%{SSL_CLIENT_S_DN_Email)"
or
Require ldap-filter "(&(mail=%{SSL_CLIENT_S_DN_Email})(CN=%{SSL_CLIENT_S_DN_CN}))"
or
Require ldap-attribute mail=%{SSL_CLIENT_S_DN_Email}
------------------------------------------------------------------------------------------------
 
Last question is: As described in http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#ssloptions, regarding "fakebasicauth", the password for the user must be set to "password", is it strictly necessary? or is there a way to set a different password, or verify issuerDN and subjectDN, against a fake password? 

[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux