FAQ
Hello,

I've read about this topic in mailing list but I didn't found the solution.
I want validate LDAP users against Apache using the certificates than the
user store in LDAP.

I mean, I create and store the X509 certificates in LDAP. Afterwards I send
to my clients the certificate and they install those certificates in their
browsers.
Now I want validate the users using the certificate instead of the user-name
and the password.

I've reading about third party modules (ModXAuthLDAP, mod_authz_ldap) but
they are very old and don't work in Apache 2.2.

I’d be interested in comments and some kind of solution to do this
authentication process.

Kind regards

Martín Sánchez

Search Discussions

  • Eric Covener at Aug 5, 2011 at 11:27 am

    On Fri, Aug 5, 2011 at 4:56 AM, Martin Sanchez wrote:
    Hello,
    I've read about this topic in mailing list but I didn't found the solution.
    I want validate LDAP users against Apache using the certificates than the
    user store in LDAP.
    I mean, I create and store the X509 certificates in LDAP. Afterwards I send
    to my clients the certificate and they install those certificates in their
    browsers.
    Now I want validate the users using the certificate instead of the user-name
    and the password.
    I've reading about third party modules (ModXAuthLDAP, mod_authz_ldap) but
    they are very old and don't work in Apache 2.2.
    I’d be interested in comments and some kind of solution to do this
    authentication process.
    Kind regards
    Martín Sánchez
    I know they're both a bit limited, but have you tried the certificate
    auth related directives in mod_ssl?

    --
    Eric Covener
    covener@gmail.com

    ---------------------------------------------------------------------
    The official User-To-User support forum of the Apache HTTP Server Project.
    See <URL:http://httpd.apache.org/userslist.html> for more info.
    To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
    " from the digest: users-digest-unsubscribe@httpd.apache.org
    For additional commands, e-mail: users-help@httpd.apache.org
  • Darren Spruell at Aug 5, 2011 at 11:32 am

    On Fri, Aug 5, 2011 at 1:56 AM, Martin Sanchez wrote:
    Hello,
    I've read about this topic in mailing list but I didn't found the solution.
    I want validate LDAP users against Apache using the certificates than the
    user store in LDAP.
    I mean, I create and store the X509 certificates in LDAP. Afterwards I send
    to my clients the certificate and they install those certificates in their
    browsers.
    Now I want validate the users using the certificate instead of the user-name
    and the password.
    One point on certificate auth - you don't need to have access to
    client certificates to validate identities (meaning, you don't need to
    consult LDAP or another store containing user certificate data) - you
    just need to configure your server to trust the Certificate Authority
    (CA) that issued those certificates. This is the fundamental basis of
    PKI and X.509 certificate authentication. It's the same way that your
    browser trusts an SSL web server (trusted CA store).

    The SSL howto has some resources on this ("Client Authentication and
    Access Control"):

    http://httpd.apache.org/docs/2.2/ssl/ssl_howto.html

    mod_ssl has served me well for this in the past:

    http://httpd.apache.org/docs/2.2/mod/mod_ssl.html

    --
    Darren Spruell
    phatbuckett@gmail.com

    ---------------------------------------------------------------------
    The official User-To-User support forum of the Apache HTTP Server Project.
    See <URL:http://httpd.apache.org/userslist.html> for more info.
    To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
    " from the digest: users-digest-unsubscribe@httpd.apache.org
    For additional commands, e-mail: users-help@httpd.apache.org
  • Martin Sanchez at Aug 8, 2011 at 9:47 am
    Hi,

    Thank you for the reply.

    Eric, I know that I can use the mod_ssl to store certificates in one Apache,
    but I want have the certificates in LDAP because I have two or three Apaches
    or maybe more in the future and I don't want replicate this files in all
    Apaches

    Darren, the problem is that I generate by myself the certificates and I can
    revoke this certificates, therefor I need to take each certificate from the
    client to see if it is valid or not. I don't need trust in CA authorities

    Now I try to recompiling some modules and configure Apache like shows this
    bug:

    https://issues.apache.org/bugzilla/show_bug.cgi?id=48780

    But there isn't examples how to configure the Apache, I'll tell you how to
    do this work if I have successful.

    Kings Regards

    Martin



    2011/8/5 Darren Spruell <phatbuckett@gmail.com>
    On Fri, Aug 5, 2011 at 1:56 AM, Martin Sanchez wrote:
    Hello,
    I've read about this topic in mailing list but I didn't found the solution.
    I want validate LDAP users against Apache using the certificates than the
    user store in LDAP.
    I mean, I create and store the X509 certificates in LDAP. Afterwards I send
    to my clients the certificate and they install those certificates in their
    browsers.
    Now I want validate the users using the certificate instead of the user-name
    and the password.
    One point on certificate auth - you don't need to have access to
    client certificates to validate identities (meaning, you don't need to
    consult LDAP or another store containing user certificate data) - you
    just need to configure your server to trust the Certificate Authority
    (CA) that issued those certificates. This is the fundamental basis of
    PKI and X.509 certificate authentication. It's the same way that your
    browser trusts an SSL web server (trusted CA store).

    The SSL howto has some resources on this ("Client Authentication and
    Access Control"):

    http://httpd.apache.org/docs/2.2/ssl/ssl_howto.html

    mod_ssl has served me well for this in the past:

    http://httpd.apache.org/docs/2.2/mod/mod_ssl.html

    --
    Darren Spruell
    phatbuckett@gmail.com

    ---------------------------------------------------------------------
    The official User-To-User support forum of the Apache HTTP Server Project.
    See <URL:http://httpd.apache.org/userslist.html> for more info.
    To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
    " from the digest: users-digest-unsubscribe@httpd.apache.org
    For additional commands, e-mail: users-help@httpd.apache.org
  • Eric Covener at Aug 8, 2011 at 10:53 am

    On Mon, Aug 8, 2011 at 5:45 AM, Martin Sanchez wrote:
    Hi,
    Thank you for the reply.
    Eric, I know that I can use the mod_ssl to store certificates in one Apache,
    but I want have the certificates in LDAP because I have two or three Apaches
    or maybe more in the future and I don't want replicate this files in all
    Apaches
    Store what certificates? The issuers you trust to sign client certificates?

    ---------------------------------------------------------------------
    The official User-To-User support forum of the Apache HTTP Server Project.
    See <URL:http://httpd.apache.org/userslist.html> for more info.
    To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
    " from the digest: users-digest-unsubscribe@httpd.apache.org
    For additional commands, e-mail: users-help@httpd.apache.org
  • Martin Sanchez at Aug 8, 2011 at 11:44 am
    Well, If I work directly with mos_ssl I need store the certificates in a
    PEM-encoded file with the directives SSLCACertificateFile Directive and
    SSLCARevocationFile Directive, right? Maybe I didn't understand well.

    If I use files inside the Apache I need replicate those files in all Apaches
    and that is that I don't want to do.

    2011/8/8 Eric Covener <covener@gmail.com>
    On Mon, Aug 8, 2011 at 5:45 AM, Martin Sanchez wrote:
    Hi,
    Thank you for the reply.
    Eric, I know that I can use the mod_ssl to store certificates in one Apache,
    but I want have the certificates in LDAP because I have two or three Apaches
    or maybe more in the future and I don't want replicate this files in all
    Apaches
    Store what certificates? The issuers you trust to sign client certificates?

    ---------------------------------------------------------------------
    The official User-To-User support forum of the Apache HTTP Server Project.
    See <URL:http://httpd.apache.org/userslist.html> for more info.
    To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
    " from the digest: users-digest-unsubscribe@httpd.apache.org
    For additional commands, e-mail: users-help@httpd.apache.org

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupusers @
categoriesapache
postedAug 5, '11 at 8:57a
activeAug 8, '11 at 11:44a
posts6
users3
websitehttpd.apache.org
irc#httpd

People

Translate

site design / logo © 2022 Grokbase