mrubinsk Wed, 28 Aug 2013 04:27:15 +0000
Modified page: http://wiki.horde.org/HordeSSLAuthHowTo
New Revision: 5
Change log: Add info about the X509 auth driver.
@@ -13,24 +13,26 @@
Authenticating using X509 user certificates has more in common with
using the [http://wiki.horde.org/ShibbolethAuthHowTo Shibboleth
Authentication Driver]. For example, unlike //real// Basic
Authentication, one's password is never passed across the network, and
is not available in an environment variable. Unless you plan on using
X509 authentication for your mail service (//most unlikely//), you
should pay close attention to faking a SSO (//Single Sign On//)
arrangement. Specifically, you should examine the instructions and
samples there for
* selecting an HTTP header to convey the username (//hint: you might
parse SSL_CLIENT_S_DN_Email//)
* adding credentials (//e.g., mailhost, username, password//) to a
prefs backend so you can use hordeauth
-Perhaps, by the time you read this, someone will have written an X509
Auth driver for Horde. Regardless, you will still want to read about...
+@@--- Perhaps, by the time you read this, someone will have written
an X509 Auth driver for Horde. +++ A X509 authentication driver is
available in Horde_Auth since version 2.0.7 and support for it in the
Horde stack is in Horde 5.2.@@
+++ Web server setup
-Most of the work will come in setting up authentication for your web
server; these instructions are for **Apache** - hopefully, someone
will add similar instructions for other web servers.
+Most of the work will come in setting up authentication for your web server;
-Apache uses the !FakeBasicAuth directive to establish authentication
using user certificates, and **these instructions assume you are using
Apache with mod_ssl support**
+++++ Apache
-If you are indeed using Apache as your webserver, you would setup
authentication within either the virtual host or directory directive
stanza for your Horde services.
+Apache uses the !FakeBasicAuth directive to establish authentication
using user certificates, and **these instructions assume you are using
Apache with mod_ssl support**
+
+You setup authentication within either the virtual host or directory
directive stanza for your Horde services.
You should read the
[http://httpd.apache.org/docs/2.0/ssl/ssl_howto.html SSL/TLS Strong
Encryption How-To] in the Apache man pages for the version of Apache
you are using (//that link is for version 2.0, though it should be
very similar for versions 1.3 and 2.2//).
[http://httpd.apache.org/docs/2.0/ssl/ssl_howto.html#accesscontrol
This link] addresses Client Authentication and Access Control, but you
should read the note at the top of the page and take it to heart. The
**mod_ssl** pages on
[http://www.modssl.org/docs/2.8/ssl_howto.html#ToC6 Client
Authentication and Access Control] are also valuable.
----
-+++ Two possible scenarios for X509 authentication follow:
+Two possible scenarios for X509 authentication follow:
-++++ A fairly strict authentication setup for one or two administrators
++++++ A fairly strict authentication setup for one or two administrators
<code>
<Directory [absolute path to directory for service, in quotes]>
SSLOptions +StdEnvVars +ExportCertData +FakeBasicAuth
+OptRenegotiate +CompatEnvVars
SSLVerifyClient require
@@ -40,9 +42,9 @@
and %{SSL_CLIENT_S_DN_O} eq "the O of the Subject DN in
client's certificate in quotes"
and %{SSL_CLIENT_S_DN_CN} in {"the CN of one or more",
"comma delimited Subject DNs in quotes"}
</Directory>
</code>
-++++ An authentication setup for many users with certs from a given CA
++++++ An authentication setup for many users with certs from a given CA
<code>
<Directory [path to directory where the application lives, in quotes]>
SSLOptions +StdEnvVars +ExportCertData +OptRenegotiate
+FakeBasicAuth
SSLVerifyClient require
@@ -53,11 +55,43 @@
and %{SSL_CLIENT_S_DN_OU} eq ""the OU of Subject DN in
client's certificate in quotes"
</Directory>
</code>
----
-+++ Notes
++++++ Notes
*You **will** want to read the mod_ssl docs, particularly those for
deciphering the certificate-specific
[http://www.modssl.org/docs/2.8/ssl_compat.html#ToC2 environment
variables] (as in the examples above); you will want to choose the
ones relevant to your use.
*You //**will**// want to adjust some of the values above (like
**!SSLVerifyDepth**) for your own needs. Do **NOT** just plug in
these values.
-++ Link
+++++ Lighttpd
+
+Lighttpd, as usual, does not have configuration options as robust as
Apache, but the basic setup can still be achieved. Again, **You must
have SSL properly setup and working**.
+
+<code>
+# These are "normal" SSL directives, not specific to client certs.
+ssl.engine = "enable"
+ssl.pemfile = "/opt/local/etc/lighttpd/server.pem"
+ssl.ca-file = "/opt/local/etc/lighttpd/ca-certs.crt"
+server.name = "www.example.com"
+server.document-root = "/var/www/html"
+
+# These are for enabling client certs
+ssl.verifyclient.activate = "enable"
+ssl.verifyclient.enforce = "enable"
+ssl.verifyclient.exportcert = "enable"
+ssl.verifyclient.username = "SSL_CLIENT_S_DN_UID"
+# Make sure you use the appropriate value for **you** for depth.
+ssl.verifyclient.depth = 2
+</code>
+
+
++++ Horde configuration
+
+You would configure this driver in the Authentication tab of the
Horde application setup page. There are two decisions to make
regarding configuration:
+
+# What field in the X509 certificate contains the value to be used as
the horde login (normally SSL_CLIENT_S_DN_CN)
+# What to do about passwords for hordeauth in applications like IMP.
+
+The first question is easy. What certificate field contains the
username. Normally the default is fine. You **should** be aware,
however of the type of value contained in that field. E.g., if it is a
bare username or a full email address. Depending on your server setup,
you may need to use a authusername hook to normalize the username (see
horde/conf/hooks.php).
+
+The second question takes a bit more effort. If using Horde for
email, you will need to provide authentication for each user to the
IMAP server. There are ways, of course, to get around this if your
system is secured and only Horde/IMP is used to access the IMAP server
(you can use a single password for all users, configure the IMAP
server to accept any password etc...). More likely you will need to
provide some mapping of usernames/passwords. This can all be done in a
postauthenticate hook. In it, you can provide any means that makes
sense for your server to provide the appropriate credentials. You can
even perform extra validation by checking the certificate hash against
a stored hash. There is an example provided in the hooks file to get
you started. The hooks should return the credentials that horde is to
use to authenticate anywhere hordeauth is used.
+The X509 driver in Horde also provides the ability to perform custom
validation. Any of the fields available in the certificate or any of
the SSL environment variables passed by the webserver can be used to
perform a final check before authentication is granted. For example,
since lighttpd does not provide the same level of enforcement in it's
configuration as Apache, you could perform these types of checks here.
This is done in the x509_validate hook. See horde/conf/hooks.php for
details.
--
commits mailing list
Frequently Asked Questions: http://wiki.horde.org/FAQ
To unsubscribe, mail: [email protected]
