I have recently started to look how Authentication and Authorization in done in Apache, and have looked over Justin Erenkrantz's slides for "Authentication in Apache HTTP Server 2.1" and have been in touch with some of the mod_auth_kerb developers. My apologies if this is already being addressed, but it does not appear so.
There appears to be a missing component in the AAA design, i.e. how to map the authentication user identity into the identity to be used for authorization. Multiple authentication identities may map to the same authorization identity. The case we are trying to address is that we would like to accept SSL client certificates, SPNEGO with Kerberos or Kerberos user/passwords for authentication. We would then like to use an LDAP database to determine if the authenticated user is acceptable based on being in the LDAP and a member of selected groups. With the client certificate the authentication identity is derived from the subject name and issuer name. With Kerberos the authentication identity is [EMAIL PROTECTED] The same user might have both a certificate and Kerberos principal. In fact we are moving towards the use of KX509/KCA from the University of Michigan and away from users ever sending passwords. The KCA issues short term certificates to a user if the can authenticate with Kerberos to the KCA. We want to use Windows AD as the LDAP authorization data base. To do this we need to use the certificate subject name to map to a DN in ldap, and/or use the Kerberos principal name (userPrincipalName in AD) to map to a DN in ldap. We can then use mod_auth_ldap to check if the DN is a member of a group in AD. (Needless to say the use of local database on the web server such as used by SSL FakeBasicAuth are not acceptable.) One way to get the mapping is to use the util_ldap_cache_checkuserid but don't have it check a password. This function is really doing two functions: authentication and mapping. They should be separated. We currently have a mod in util_ldap.c to do this, with a change to util_ldap.h as well. As I am new to Apache, but not to authentication, I am hoping to see if any of these ideas are being addressed in upcoming versions. Thanks. -- Douglas E. Engert <[EMAIL PROTECTED]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444
