Apache, SSL Client certificate, LDAP authorizations
High there, Is it possible to mix mod_ssl and mod_auth_ldap so that the authentication is done with the client certificate and authorizations with mod_auth_ldap (Require group)? If so, can you give me some pointer? Thanks in advance
Solution 1:
OK, for those interested, apache requires the presence of an AuthType directive and the validation of the username by some module.
So I have written a very short module that accepts AuthType Any and accepts any username.
The configuration looks like that:
<Location /slaptest>
Allow from all
SSLVerifyClient require
SSLVerifyDepth 1
SSLUserName SSL_CLIENT_S_DN_CN
AuthType Any
AuthAnyAuthoritative on
AuthLDAPURL "ldaps://vldap-rectech/ou=XXX,ou=YYY,o=ZZZ?cn"
AuthzLDAPAuthoritative on
AuthLDAPBindDN "cn=UUU,ou=Users,ou=XXX,ou=YYY,o=ZZZ"
AuthLDAPBindPassword "******"
AuthLDAPGroupAttributeIsDN on
AuthLDAPGroupAttribute member
AuthLDAPRemoteUserIsDN off
Require valid-user
Require ldap-group cn=ADMIN,ou=Groups,ou=XXX,ou=YYY,o=ZZZ
</Location>