On Tue, May 06, 2008 at 05:02:55PM +0200, Frédérique Da Luene wrote: > Hello, > > We are trying to set up mod_ssl to get some "proper" > access to two classes of users. > > First, everybody must use client certs (signed by our > CA). Client cert control is okay and works properly > (SSLVerifyClient require, SSLVerifyDepth 1 and such). > > Now, we have two classes of client certs, based on the > OU. Say, OU="Class 1" and OU="Class 2". We want to > allow : > - all users with "Class 1" certificates, and > - users with "Class 2" certs ONLY when they are > browsing from some IP addresses. > > Those IP addresses are not known in advance, and may > be dynamic. Let's say we have an external list > (updated by some mean, irrelevant to our problem). How > can we check this list and correlate it with the OU > from the client cert ? We thought that something like > > SSLRequire %{SSL_CLIENT_S_DN_OU} eq "Class 1" > or ( %{SSL_CLIENT_S_DN_OU} eq "Class 2" > and %{REMOTE_ADDR} in { file("/tmp/list") } ) > > (where /tmp/list is a list of allowed IP addresses) > would be the way to go, but this utterly fails.
>From looking at the code, I don't think that would work as you expect. If /tmp/list contained "addr1 addr2 addr3", it would be equivalent to and %{REMOTE_ADDR} in { "addr1 addr2 addr3" } i.e. a direct match against the entire file contents, not and %{REMOTE_ADDR} in { "addr", "addr2", "addr3" } which is what you'd need. It might be possible to express this requirement using some combination of Require/Satisfy, or failing that, mod_rewrite; I'd recommend asking on the httpd users' list instead: http://httpd.apache.org/lists.html#http-users if nothing works out you could file a bug, it might be possible to enhance mod_ssl to make this work somehow. joe ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager [EMAIL PROTECTED]