Hi,
I wrote a patch to add ldap support into modssl. Parhaps it's not the best
method to do this but it's work. Ca Certificate and Crl can be put into a Ldap
tree. For now, i doesn't cache certificate subject when apache server start. So
you need to add attribute to the profil 'certificationAuthority'
objectclass certificationAuthority
requires
objectClass,
cACertificate
allows
authorityRevocationList,
certificateRevocationList,
crossCertificatePair,
x509_subject_hash
The value of x509_subject_hash is the result of
openssl x509 -noout -hash < ca.crt
All attributes name can be changed in the httpd.conf
LdapHost hostname of the ldap host [required]
LdapPort the port number [optional]
LdapBindDn dn of the user who have [optional]
access to certificate
LdapBindPw the password. httpd.conf [optional]
must be non-world readable
LdapBaseDn root base for the search [required]
LdapTimeout max time for a search [optional]
LdapCACertificateHash ldap attribute name which [optional]
is x509_subject_hash in the
example
LdapCACertificate ldap attribute name which [optional]
is cACertificate in the
example
LdapCARevocation ldap attribute name which [optional]
is certificateRevocationList
in the example
Another example, of a entry into the LDAP tree
dn: uid=ca, dc=elite1
uid: ca
objectclass: certificationAuthority
objectclass: uidobject
x509_subject_hash: b7669510
cacertificate:: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMvakNDQW1lZ0F3SUJBZ
0lCQURBTkJna3Foa2lHOXcwQkFRUUZBRENCcWpFTE1Ba0dBMVVFQmhNQ1JsSXgKRHpBTkJnTlZCQ
WdUQmtaeVlXNWpaVEVPTUF3R0ExVUVCeE1GVUdGeWFYTXhFREFPQmdOVkJBb1RCMFpzWlcxcApib
WN4S0RBbUJnTlZCQXNUSDBObGNuUnBabWxqWVhScGIyNGdVMlZ5ZG1salpYTWdSR2wyYVhOcGIyN
HhHREFXCkJnTlZCQU1URDBac1pXMXBibWNnVW05dmRDQkRZVEVrTUNJR0NTcUdTSWIzRFFFSkFSW
VZiSFZqUUdac1pXMXAKYm1jdWRTMXdjM1ZrTG1aeU1CNFhEVEF3TURVd05qQTRNRFUwT0ZvWERUR
XdNRFV3TkRBNE1EVTBPRm93Z2FveApDekFKQmdOVkJBWVRBa1pTTVE4d0RRWURWUVFJRXdaR2NtR
nVZMlV4RGpBTUJnTlZCQWNUQlZCaGNtbHpNUkF3CkRnWURWUVFLRXdkR2JHVnRhVzVuTVNnd0pnW
URWUVFMRXg5RFpYSjBhV1pwWTJGMGFXOXVJRk5sY25acFkyVnoKSUVScGRtbHphVzl1TVJnd0ZnW
URWUVFERXc5R2JHVnRhVzVuSUZKdmIzUWdRMkV4SkRBaUJna3Foa2lHOXcwQgpDUUVXRld4MVkwQ
m1iR1Z0YVc1bkxuVXRjSE4xWkM1bWNqQ0JuekFOQmdrcWhraUc5dzBCQVFFRkFBT0JqUUF3CmdZa
0NnWUVBemFCTCtjSThyNk5rMFNJSzlqNXZFSUJ4L01KYnBKWlMvM2tQVFZoWGx6SHhWUFZidTBWN
jgyZlAKZmJOZDRmaHczM1V2Q1FZdGdTK2ZDVkpFZUp3ZWdBUTJwQlFZWU82aUJmUGlhV240U3g5b
jZnTm5HUzNIRzRKdApkY0pZU1l3dVlpYkFhdUxHdk12em5RMk84MjlzR2FYQXVvenlCWTBPaXptW
kNZU0xlcjBDQXdFQUFhTXlNREF3CkR3WURWUjBUQVFIL0JBVXdBd0VCL3pBZEJnTlZIUTRFRmdRV
WZEcmtRWS9lWmlUYmp0b0JNZzF3VCtFUG9WRXcKRFFZSktvWklodmNOQVFFRUJRQURnWUVBTkttR
mRpT0ZHaG44REJqOW4zTlFBeGhLelkzVjNsVmp1VTZ0VkhnNwpZSHM4dTU0UDBlK3dyTFZOV1Z3M
lJwdERVWWNXRWhHbUVBR3dJT2lXVHN5UVdiMWprN0dsL3VNRDFzSmxEUjB3CnVRRUVsODZ3elkwa
0RCYUQ2WkNhOGM1bDQ2ek1YK0tWZUdtOVB1L1ZqckluNGp3ZmNTSm5zS0kwZjVQbG53U1QKWExRP
QotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCi==
certificaterevocationlist:: LS0tLS1CRUdJTiBYNTA5IENSTC0tLS0tCk1JSUJoakNCOERBT
kJna3Foa2lHOXcwQkFRUUZBRENCcWpFTE1Ba0dBMVVFQmhNQ1JsSXhEekFOQmdOVkJBZ1QKQmtae
VlXNWpaVEVPTUF3R0ExVUVCeE1GVUdGeWFYTXhFREFPQmdOVkJBb1RCMFpzWlcxcGJtY3hLREFtQ
mdOVgpCQXNUSDBObGNuUnBabWxqWVhScGIyNGdVMlZ5ZG1salpYTWdSR2wyYVhOcGIyNHhHREFXQ
mdOVkJBTVREMFpzClpXMXBibWNnVW05dmRDQkRZVEVrTUNJR0NTcUdTSWIzRFFFSkFSWVZiSFZqU
Udac1pXMXBibWN1ZFMxd2MzVmsKTG1aeUZ3MHdNREExTVRBeE16RTVOREphRncwd01EQTJNRGt4T
XpFNU5ESmFNQlF3RWdJQkF4Y05NREF3TlRFdwpNVE13T1RNMFdqQU5CZ2txaGtpRzl3MEJBUVFGQ
UFPQmdRQk9Jd3U3K3hBZ292TXhvZURWRkhpSnRLTDBEcHUwCitLeWhGWFhJNXRFRk5UNzYzVEppd
0d0N2dXMjRtdzJCSGQrMVNtN3lrTTNXeFRqK0UzbTRJYnVSSnFYMmh0d0kKNWxWcWVaSmpHcGwwQ
kVKMjBiaEliZmlndnVPZG9xQXVyOGNZeTcyMDlyR3RZY3J1Ny9OMVdFYWtwby83M3ZXaAp4N2ZHU
3BVU0d2V3Axdz09Ci0tLS0tRU5EIFg1MDkgQ1JMLS0tLS0K
Data is base64 encoded to help import into LDAP. But certificate is PEM encoded
like this.
-----BEGIN CERTIFICATE-----
MIIC/jCCAmegAwIBAgIBADANBgkqhkiG9w0BAQQFADCBqjELMAkGA1UEBhMCRlIx
DzANBgNVBAgTBkZyYW5jZTEOMAwGA1UEBxMFUGFyaXMxEDAOBgNVBAoTB0ZsZW1p
bmcxKDAmBgNVBAsTH0NlcnRpZmljYXRpb24gU2VydmljZXMgRGl2aXNpb24xGDAW
BgNVBAMTD0ZsZW1pbmcgUm9vdCBDYTEkMCIGCSqGSIb3DQEJARYVbHVjQGZsZW1p
bmcudS1wc3VkLmZyMB4XDTAwMDUwNjA4MDU0OFoXDTEwMDUwNDA4MDU0OFowgaox
CzAJBgNVBAYTAkZSMQ8wDQYDVQQIEwZGcmFuY2UxDjAMBgNVBAcTBVBhcmlzMRAw
DgYDVQQKEwdGbGVtaW5nMSgwJgYDVQQLEx9DZXJ0aWZpY2F0aW9uIFNlcnZpY2Vz
IERpdmlzaW9uMRgwFgYDVQQDEw9GbGVtaW5nIFJvb3QgQ2ExJDAiBgkqhkiG9w0B
CQEWFWx1Y0BmbGVtaW5nLnUtcHN1ZC5mcjCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
gYkCgYEAzaBL+cI8r6Nk0SIK9j5vEIBx/MJbpJZS/3kPTVhXlzHxVPVbu0V682fP
fbNd4fhw33UvCQYtgS+fCVJEeJwegAQ2pBQYYO6iBfPiaWn4Sx9n6gNnGS3HG4Jt
dcJYSYwuYibAauLGvMvznQ2O829sGaXAuozyBY0OizmZCYSLer0CAwEAAaMyMDAw
DwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUfDrkQY/eZiTbjtoBMg1wT+EPoVEw
DQYJKoZIhvcNAQEEBQADgYEANKmFdiOFGhn8DBj9n3NQAxhKzY3V3lVjuU6tVHg7
YHs8u54P0e+wrLVNWVw2RptDUYcWEhGmEAGwIOiWTsyQWb1jk7Gl/uMD1sJlDR0w
uQEEl86wzY0kDBaD6ZCa8c5l46zMX+KVeGm9Pu/VjrIn4jwfcSJnsKI0f5PlnwST
XLQ=
-----END CERTIFICATE-----
and
-----BEGIN X509 CRL-----
MIIBhjCB8DANBgkqhkiG9w0BAQQFADCBqjELMAkGA1UEBhMCRlIxDzANBgNVBAgT
BkZyYW5jZTEOMAwGA1UEBxMFUGFyaXMxEDAOBgNVBAoTB0ZsZW1pbmcxKDAmBgNV
BAsTH0NlcnRpZmljYXRpb24gU2VydmljZXMgRGl2aXNpb24xGDAWBgNVBAMTD0Zs
ZW1pbmcgUm9vdCBDYTEkMCIGCSqGSIb3DQEJARYVbHVjQGZsZW1pbmcudS1wc3Vk
LmZyFw0wMDA1MTAxMzE5NDJaFw0wMDA2MDkxMzE5NDJaMBQwEgIBAxcNMDAwNTEw
MTMwOTM0WjANBgkqhkiG9w0BAQQFAAOBgQBOIwu7+xAgovMxoeDVFHiJtKL0Dpu0
+KyhFXXI5tEFNT763TJiwGt7gW24mw2BHd+1Sm7ykM3WxTj+E3m4IbuRJqX2htwI
5lVqeZJjGpl0BEJ20bhIbfigvuOdoqAur8cYy7209rGtYcru7/N1WEakpo/73vWh
x7fGSpUSGvWp1w==
-----END X509 CRL-----
I hope this little explanation can help someone but english isn't my primary
langage.
Note: the patch work for the lastest stable version of modssl 2.4.10-1.3.9.
I've a also a version the 2.4.10-1.3.9
Luc
--
,-----------------------------------------------------------------------------.
> Saillard Luc | Ing�nieur Informatique Libre <
> [EMAIL PROTECTED] | Alcove, l'informatique est libre <
> (www.alcove.fr) | <
`-----------------------------------------------------------------------------'
mod_ssl-ldap.diff.gz
