On Mon, Dec 15, 2008 at 3:55 AM, Sebastian Reitenbach <sebastia@xxxxxxxxxxxxxxxxxxxx> wrote: > Hi, > > I want to authenticate users on apache. In case they have a valid x509 > client certificate in their browser for authentication, then that should be > sufficient. In case the client does not have such a certificate, the user > should be able to authenticate via username/password against ldap. > > I got both working on its own, but when I try to combine both, and I have a > x509 certificate, then it still asks for a username/password. > > <VirtualHost _default_:443> > ServerName test.intern > HostnameLookups Off > > SSLEngine on > SSLCertificateFile /etc/apache2/certs/server.crt > SSLCertificateKeyFile /etc/apache2/certs/server.key > SSLCertificateChainFile /etc/apache2/certs/ca.crt > SSLCACertificateFile /etc/apache2/certs/ca.crt > > > CustomLog /var/log/apache2/ssl_test_request_log ssl_combined > > <Location /ssl> > Order deny,allow > Deny from all > Allow from 127.0.0.1 > > Satisfy any > > SSLRequireSSL > > #SSLVerifyClient optional > SSLVerifyClient require > SSLVerifyDepth 9 > SSLOptions +FakeBasicAuth +StrictRequire > AuthUserFile /etc/apache2/conf.d/httpd.passwd > require valid-user > > AuthType Basic > AuthBasicProvider "ldap" > AuthName "TEST Login" > AuthLDAPUrl "ldap://ldap:389/ou=people,dc=intern" > AuthzLDAPAuthoritative off > require ldap-user testuser > </Location> > </VirtualHost> > > > I'm not sure, when I read the manual, whether the Satisfy any is relevant > for my case at all. > > Any pointer into the right direction is highly appreciated. I think to test the FakeBasic stuff first you'd need: AuthBasicProvider file ldap But I also think users would be able to type in cert details + the magic FakeBasic password. Additionaly, for every user in the file, if they didn't use a cert it would never be let in because the "file" provider would see that they were actually in the file and not DECLINE. Maybe SSLUsername instead of FakeBasic would be another avenue? http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslusername I do think there is just a littlte bit missing in Apache to let this work -- mod_ssl might need to participate a little in the basic auth stuff to let some of the fancy configs work. Please let us know how it works out! -- Eric Covener covener@xxxxxxxxx --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx