SSLusername

2008-06-30 Thread mdn teo 
Hi,

I'm working with mod_authnz_ldap, mod_ssl authenticating with certificates
and I've got some questions.
This is my situation (some directives are omitted)


SSLVerifyClient require
SSLOptions +ExportCertData +StdEnvVars +StrictRequire +FakeBasicAuth

Location /private
SSLRequireSSL
AuthType basic
AuthName private area
AuthzLDAPAuthoritative off
AuthBasicProvider   ldap
AuthLDAPBindDN  uid=myuser,dc=example,dc=com
AuthLDAPBindPasswordmypassword
AuthLDAPUrl 
ldap://myldaphost:389/ou=users,dc=example,dc=com?subjectDN?sub?(objectclass=ldap://myldaphost:389/ou=users,dc=example,dc=com?subjectDN?sub?(objectclass
*)
Require ldap-attribute employeeType=active
/Location


This configuration is working, the user in found in LDAP searching for his
subjectDN, as set by the option +FakeBasicAuth, but I want to make the
LDAP SEARCH not with the subjectDN, but other fields of the certificate.

If I use these options:

SSLVerifyClient require
 SSLUserName SSL_CLIENT_S_DN_CN
SSLOptions +ExportCertData +StdEnvVars +StrictRequire -FakeBasicAuth

Location /private
SSLRequireSSL
AuthType basic
AuthName private area
AuthzLDAPAuthoritative off
AuthBasicProvider   ldap
AuthLDAPBindDN  uid=myuser,dc=example,dc=com
AuthLDAPBindPasswordmypassword
AuthLDAPUrl 
ldap://myldaphost:389/ou=users,dc=example,dc=com?cn?sub?(objectclass=*)
Require ldap-attribute employeeType=active
/Location


The mod_ssl does his work, as in my log files I see the CN logges as %u,
but as soon as I call /private, the %u becomes an empty variable and I
can't use it in the next authentication module.
Is there something I'm missing?

Second question is: is it possible to use Environment variables in the
directives AuthLDAPUrl, require ldap-filter or require ldap-attribute?
Something like this:

AuthLDAPUrl 
ldap://myldaphost:389/ou=users,dc=example,dc=com?subjectDN?sub?(mail=%{SSL_CLIENT_S_DN_Email
)
or
Require ldap-filter
((mail=%{SSL_CLIENT_S_DN_Email})(CN=%{SSL_CLIENT_S_DN_CN}))
or
Require ldap-attribute mail=%{SSL_CLIENT_S_DN_Email}


Last question is: As described in
http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#ssloptions, regarding
fakebasicauth, the password for the user must be set to password, is it
strictly necessary? or is there a way to set a different password, or
verify issuerDN and subjectDN, against a fake password?

Jean-Pierre Guilloteau est absent.

2008-06-30 Thread jpguilloteau 

I will be out of the office starting Fri 27/06/08 and will not return until
Mon 21/07/08.

Je répondrai à votre message dès mon retour.
Cordialement.

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]