https://issues.apache.org/bugzilla/show_bug.cgi?id=48780
--- Comment #3 from Peter Thomas <[email protected]> 2010-02-22 14:59:03 UTC --- (In reply to comment #2) > IIUC current patch needs to deal with the case where a cert wasn't provided > (SSLVerifyClient optional) or where r->user didn't come from the cert. If SSLVerifyClient is optional or none we could have a case where the user did not provide a certificate, but instead entered a DN via a regular basic authentication dialog or other basic authn provider. This might be useful for testing or debugging, but should raise a warning at a minimum. I've create a similar patch to Joomla in PHP, but am new to the Apache API--I'm certainly open to augmented patches that add such checks and warnings. We also should have a warning if SSLVerifyClient is generous and the client cert provided was not signed by a common root CA. Perhaps we should also have a warning if this directive is specified but mod_ssl is not even loaded, or if it is loaded without the +FakeBasicAuth option. > IMO cert-based authn or authz belongs outside of LDAP. LDAP could have a > second provider that just checks to make sure current r->user can be found in > LDAP w/o looking at password (which is the additional check we're getting with > this patch over just clientcert == authenticated) The goal here is to leverage the great work in the authz side of mod_auth_ldap for cases where the business rule is that users may authenticate with their client certificate, without an LDAP password. As the module stands, one cannot pull back the group and attribute information to match the LDAP Require* directives without passing a user password. Since mod_ldap's API already supports a "user bind-free" compare, branching on an optional--non-default--LDAPAuth directive seemed like the simplest approach to augment mod_auth_ldap to use that feature. I'd like to see this implemented--perhaps after the additional "sanity checks" are added, or implement it with subsequent enhancement requests pending in BZ to add the checks as time permits. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
