Revision: 3234
Author: olavmrk
Date: Mon Apr 8 01:59:04 2013
Log: authX509: Make ldapusercert validation optional.
This patch makes it possible to skip validating the certificate
against an attribute in the LDAP directory, and instead trust that
Apache has checked it.
In addtition it contains some bugfixes and documentation fixes.
Thanks to Thijs Kinkhorst for this patch!
http://code.google.com/p/simplesamlphp/source/detail?r=3234
Modified:
/trunk/modules/authX509/docs/authX509.txt
/trunk/modules/authX509/lib/Auth/Source/X509userCert.php
=======================================
--- /trunk/modules/authX509/docs/authX509.txt Fri Mar 16 07:59:26 2012
+++ /trunk/modules/authX509/docs/authX509.txt Mon Apr 8 01:59:04 2013
@@ -1,7 +1,7 @@
Using the X509 authentication source with simpleSAMLphp
=======================================================
-The authX509 module provide X509 authentication with certificate
+The authX509 module provides X509 authentication with certificate
validation. For now there is only one authentication source:
* authX509userCert Validate against LDAP userCertificate attribute
@@ -27,22 +27,22 @@
both certificate and plain login authentication at the same time (more on
this later).
-If your server or your client (or both!) have TLS renegociation disabled
+If your server or your client (or both!) have TLS renegotiation disabled
as a workaround for CVE-2009-3555, then the configuration directive above
must not appear in a <Directory>, <Location>, or in a name-based
-<VirtualHost>. You can only use them server-wide, or in <VirtualHost>
-with different IP address/port combinaisons.
+<VirtualHost>. You can only use them server-wide, or in <VirtualHost>s
+with different IP address/port combinations.
Setting up the authX509 module
------------------------------
-The first thing you need to do is to enable the cas module:
+The first thing you need to do is to enable the module:
touch modules/authX509/enable
Then you must add it as an authentication source. Here is an
-example authsource.php
+example authsources.php entry:
'x509' => array(
'authX509:X509userCert',
@@ -52,8 +52,8 @@
'search.enable' => TRUE,
'search.attributes' => array('uid', 'mail'),
'search.base' => 'dc=example,dc=net',
- 'x509attributes' => array('UID' => 'uid'),
- 'ldapusercert' => array('userCertificate;binary'),
+ 'authX509:x509attributes' => array('UID' => 'uid'),
+ 'authX509:ldapusercert' => array('userCertificate;binary'),
),
The configuration is the same as for the LDAP module, except for
@@ -62,16 +62,18 @@
* x509attributes is used to map a certificate subject attribute to
an LDAP attribute. It is used to find the certificate
owner in LDAP from the certificate subject. If multiple
- mappings are provided, any mappping will match (this
- is a logical OR). Default is array('UID' => 'uid')
+ mappings are provided, any mapping will match (this
+ is a logical OR). Default is array('UID' => 'uid').
* ldapusercert the LDAP attribute in which the user certificate will
- be found. Default is userCertificate;binary
+ be found. Default is userCertificate;binary. This can
+ be set to NULL to avoid looking up the certificate in
+ LDAP.
Uploading certificate in LDAP
-----------------------------
-Certificate are usually stored in LDAP as DER, in binary. Here is
+Certificates are usually stored in LDAP as DER, in binary. Here is
how to convert from PEM to DER:
openssl x509 -in cert.pem -inform PEM -outform DER -out cert.der
@@ -84,8 +86,8 @@
userCertificate;binary:< file:///path/to/cert.der
-Supporting both certificate and login authentications
-=====================================================
+Supporting both certificate and login authentication
+====================================================
In your Apache configuration, set SSLVerifyClient to optional. Then you
can hack your metadata/saml20-idp-hosted.php file that way:
=======================================
--- /trunk/modules/authX509/lib/Auth/Source/X509userCert.php Thu Jul 29
03:41:21 2010
+++ /trunk/modules/authX509/lib/Auth/Source/X509userCert.php Mon Apr 8
01:59:04 2013
@@ -46,7 +46,7 @@
$this->x509attributes =
$config['authX509:x509attributes'];
- if (isset($config['authX509:ldapusercert']))
+ if (array_key_exists('authX509:ldapusercert', $config))
$this->ldapusercert =
$config['authX509:ldapusercert'];
@@ -142,18 +142,20 @@
return;
}
- $dn = FALSE;
+ $dn = NULL;
foreach ($this->x509attributes as $x509_attr => $ldap_attr) {
/* value is scalar */
- $value = $client_cert_data['subject'][$x509_attr];
- SimpleSAML_Logger::info('authX509: cert '.
- $x509_attr.' = '.$value);
- $dn = $ldapcf->searchfordn($ldap_attr, $value, TRUE);
- if ($dn !== FALSE)
- break;
+ if (array_key_exists($x509_attr,
$client_cert_data['subject'])) {
+ $value =
$client_cert_data['subject'][$x509_attr];
+ SimpleSAML_Logger::info('authX509: cert '.
+ $x509_attr.' =
'.$value);
+ $dn = $ldapcf->searchfordn($ldap_attr, $value,
TRUE);
+ if ($dn !== NULL)
+ break;
+ }
}
- if ($dn === FALSE) {
+ if ($dn === NULL) {
SimpleSAML_Logger::error('authX509: cert has '.
'no matching user in LDAP');
$state['authX509.error'] = "UNKNOWNCERT";
@@ -162,6 +164,16 @@
assert('FALSE'); /* NOTREACHED */
return;
}
+
+ if ($this->ldapusercert === NULL) { // do not check for
certificate match
+ $attributes = $ldapcf->getAttributes($dn);
+ assert('is_array($attributes)');
+ $state['Attributes'] = $attributes;
+ $this->authSuccesful($state);
+
+ assert('FALSE'); /* NOTREACHED */
+ return;
+ }
$ldap_certs = $ldapcf->getAttributes($dn, $this->ldapusercert);
if ($ldap_certs === FALSE) {
--
You received this message because you are subscribed to the Google Groups
"simpleSAMLphp commits" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to simplesamlphp-commits+unsubscr...@googlegroups.com.
To post to this group, send email to simplesamlphp-commits@googlegroups.com.
Visit this group at http://groups.google.com/group/simplesamlphp-commits?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
