https://issues.apache.org/bugzilla/show_bug.cgi?id=48780
--- Comment #11 from Esmond Pitt <[email protected]> --- It should be noted that much of this can be implemented with the existing implementation. See the config extract below. Provided the LDAP user object concerned (a) has a password of 'password' as per +FakeBasicAuth and (b) has an attribute which matches the SubjectDN of the client certificate, the client will be authenticated correctly. However the user's SubjectDN-valued attribute needs to be in the strange format returned by OpenLDAP, so it will match, so it actually can't be a proper LDAP DN-valued attribute (such as 'seeAlso'). And it also can't in general be the DN of the object itself, as the SubjectDN of the certificate is beyond the server's control and is most unlikely to agree with the LDAP tree's root. So to weigh in on the above discussion: 1. A way is needed to avoid the bind step for directories that support that. I personally don't have this requirement and I'm not aware what it actually amounts to: I'm perfectly happy with a password of 'password', and I can configure the user in LDAP via the password policy from being able to break it. 2. A way is needed to acquire the SubjectDN of the certificate in proper X.500 DN format, and a configuration directive to enable it, or perhaps another env variable. 3. A way is needed to search the user subtree on an arbitrary attribute using that DN as the target value. We already have this part, in AuthLDAPURL, we just don't have a way of getting (2) or feeding the result into it. 4. The authenticated user is then subject to whatever require valid-user/ldap-user/ldap-group constraints may be defined, as per my example below. <Location /cRegister/WestNet > Order Deny,Allow Deny from none Allow from all Satisfy All # Fake LDAP Basic authentication, # after http://httpd.apache.org/docs/2.2/ssl/ssl_howto.html#certauthenticate SSLOptions +OptRenegotiate +StdEnvVars +StrictRequire +FakeBasicAuth SSLVerifyClient require AuthBasicProvider ldap AuthLDAPBindDN "uid=apache-httpd,ou=Applications,ou=System,dc=example,dc=com" AuthLDAPBindPassword "xyz" # Lookup the SubbjectDN of the certificate in OpenSSL format in the 'o' attribute. # The OpenSSL format for this is e.g. /C=US/ST=CA/L=SF/O=WestNet Inc./OU=Unknown/CN=WestNet Inc., # which sadly isn't a valid LDAP DN, even though they are both ultimately X.509 DNs. # So we have to match on a non-DN-valued attribute, in this case 'o'. # So a target entry that satisfies all this must: # 1. Be an inetOrgPerson # 2. Be under ou=Users,dc=example,dc=com. # 3. Have a password of 'password', see the documentation for FakeBasicAuth. # 4. Have an 'o' attribute that matches the SubjectDN of the certificate in OpenSSL format as above. # 5. That subject must be a member of the Westnet role. AuthLDAPURL ldap://localhost/ou=Users,dc=verismartlabs,dc=com?o?sub?(objectClass=inetOrgPerson) # Require that such a user exists Require valid-user # Require that such a user is a member of the Westnet role. AuthLDAPGroupAttribute roleOccupant Require ldap-group cn=WestNet,cn=Roles,dc=verismartlabs,dc=com </Location> -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
