As promised in my note last week, I've created an updated patch attached to my suggested feature in https://issues.apache.org/bugzilla/show_bug.cgi?id=48780 .
This patch works in my integration environment, tested with all Require ldap-* directives. Notes: 1) When using certificates we can often expect that the DN of the user matches the subject DN of the certificate. For that reason I made a slight overloading of AuthLDAPRemoteUserIsDN. This new behavior is only active in the proposed patch if AuthType is Certificate and AuthLDAPRemoteUserIsDN is on. In those circumstances, LDAP authn will do an LDAP_SCOPE_BASE search for the user at the DN specified in the certificate. I updated the corresponding authz methods to make sure that we are always searching for the user's DN in a consistent way. When the special circumstances do not apply, you continue using the first attribute in the LDAP URL's attribute list compared with the username to find the user [the legacy behavior]. 2) I updated ssl_engine_vars.c in mod_ssl. The current SSL_CLIENT_S_DN uses X509_NAME_oneline(xsname, NULL, 0) which is a) deprecated and b) not in an LDAP-friendly (RFC2253-compliant) form. I updated the code to use X509_NAME_print_ex(bio, xsname, 0, XN_FLAG_RFC2253). Since the vast majority of the use of SSL_CLIENT_S_DN is cosmetic [logging, etc.] I don't foresee this causing a substantial problem. That said, if someone wants to take a stab at making this configurable before we move forward, I'm amenable. 3) The only added directives in all this are: AuthCertificateProvider and AuthCertificateAuthoritative They behave exactly as their counterparts from mod_auth_basic...So far only mod_authnz_ldap is supported [by this patch], as in: AuthType Certificate AuthName "SSL Certificate-Based Authentication" AuthCertificateProvider ldap [...followed by AuthLDAP settings, &c.] I have not sought out commt privileges on the project. I'm not sure this is the sort of feature we should be adding directly to 2.2.x, even if I was able to. What I would like is for other people with interest in the problem space to try this patch out in their own environments and get back to me and the community and with suggestions and observations. --Pete
