|
|||||||||
|
|||||||||
| |||||||||
|
|
|
| |||||||||
 |
|
|
«
Previous Thread
|
Next Thread
»
|
Thread Tools | Search this Thread | Display Modes |
Web Development Archives Sponsor:
|
|
|
|
#1
July 4th, 2008, 07:01 AM
|
|||
|
|||
|
Client authorization against LDAP using client certificates
M¼ller Johannes wrote:
we want to use client authorization against LDAP using client certificates on Apache webserver 2.2. Unfortunately this is not possible with Apache webserver at the current state of development. There have been third party modules (ModXAuthLDAP, mod_authz_ldap) in the past which did this task quite well. But they €™t been updated for years and therefore do not work with httpd newer than 2.0. Therefore my company has put some effort in developing a reasonable solution for its needs. I think the thing that is missing is that the FakeBasicAuth option within mod_ssl should flag the request to say that a password isn't necessary. mod_authnz_ldap (and others) should then be taught to recognise this flag within the request, and not test the password if this is the case. Regards, Graham --
|
|
#2
July 4th, 2008, 10:20 AM
|
|||
|
|||
|
AW: Client authorization against LDAP using client certificates
M Johannes wrote:
So far so good, but how to handle fallback to basic authentication if the client has no certificate (SSLVerifyClient optional)? If we created a new module mod_auth_cert and there is no username from mod_ssl we would like to call mod_auth_basic. If i understood you right, i would hook mod_auth_cert before mod_auth_basic and let it react on AuthType Basic. If mod_auth_cert then returns DECLINED, mod_auth_basic runs and does basic authentication. That would work, but i personally don't like it. If i configure "AuthType Basic" i want to do basic auth, not cert auth. If i created a new module i would prefer configuring "AuthType Cert" and doing something like "AuthCertFallback " Hmmm this looks a little bit too cert specific. Tt would be cool if we could support auth fallback in an arbitrary fashion. For example, if a user has a cert, use that as their identity, otherwise use their session identity from mod_auth_form, or failing that use basic authentication. If all of them fail, then pick one of them to handle the "access denied" part (for example request a basic authentication username and password, or let mod_auth_form display a login form, whatever). You might do something like this: AuthType certificate, form, basic Regards, Graham --
|
|
#3
July 4th, 2008, 12:01 PM
|
|||
|
|||
|
AW: AW: Client authorization against LDAP using clientcertificates
fre, 2008-07-04 at 15:43 +0200, M¼ller Johannes wrote:
To support more than one authentication method at a time we would have to do fallback like "AuthType Cert, Basic". for that matter "AuthType Digest, Basic". Regards Henrik PGP SIGNATURE Version: GnuPG v1.4.7 (GNU/Linux) zkFg5U5jU+4= =3zi4 PGP SIGNATURE
|
|
#4
July 4th, 2008, 12:40 PM
|
|||
|
|||
|
AW: AW: Client authorization against LDAP using client certificates
M Johannes wrote:
Maybe let's concentrate on non-third-party modules. Basically there is mod_auth_basic and mod_auth_digest on the top level followed by their providers on the second level. mod_auth_form is part of httpd trunk, and is not a third party module. Regards, Graham --
|
|
| Viewing: Web Development Archives > Mailing Lists > Apache > Client authorization against LDAP using client certificates |
| Thread Tools | Search this Thread |
| Display Modes | Rate This Thread |
|
|
 |
|
|
Del.icio.us
Digg
Google
Spurl
Blink
Furl
Simpy
Y! MyWeb
Linear Mode
