For Apache, I'm trying to authenticate users with client certificates, and authorize them using LDAP groups. So far I have this:
# Apache 2.4.6
LoadModule ssl_module modules/mod_ssl.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
Listen 9999
<VirtualHost *:9999>
ServerName example
SSLEngine on
SSLCertificateFile /etc/ssl/certs/server.crt
SSLCertificateKeyFile /etc/ssl/certs/server.key
SSLCACertificateFile /etc/ssl/certs/ca.crt
SSLVerifyClient require
SSLVerifyDepth 1
SSLOptions +FakeBasicAuth
<Location /test/>
# SSLUserName SSL_CLIENT_S_DN_CN
# AuthBasicFake "%{SSL_CLIENT_S_DN_CN}"
AuthType basic
AuthName "Cert"
AuthBasicProvider ldap
AuthLDAPURL "ldap://localhost/dc=example?uid"
AuthLDAPBindDN "cn=admin,dc=example"
AuthLDAPBindPassword "test123"
AuthLDAPGroupAttribute uniqueMember
Require ldap-group cn=admin,ou=groups,dc=example
</Location>
</VirtualHost>
It works for the most part, however the username ends up as /C=XX/L=Default City/O=Default Company Ltd/CN=testuser
(ie the full DN from the X.509 subject field), while I want it to be just testuser
(ie just the CN, SSL_CLIENT_S_DN_CN
).
I tried using the AuthBasicFake
directive, which seems to be just what I need, however the username field is always empty. Any suggestions?
I got this to work with the following configuration. Only users with a key pair signed by the cert in SSLCACertificateFile
will be able to authenticate. In my LDAP, all users belong to the cn=user,ou=groups,dc=example
group, and can access the entire site by default. However, some users also belong to cn=admin,ou=groups,dc=example
, which will give them access to /admin-panel
.
LoadModule ssl_module modules/mod_ssl.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
Listen 9999
<VirtualHost *:9999>
ServerName www.example.com
SSLEngine on
SSLCertificateFile /etc/ssl/certs/server.crt
SSLCertificateKeyFile /etc/ssl/certs/server.key
SSLCACertificateFile /etc/ssl/certs/ca.crt
SSLVerifyClient require
SSLVerifyDepth 1
SSLUserName SSL_CLIENT_S_DN_CN
<Location />
AuthType basic
AuthName "Cert"
AuthBasicProvider ldap
AuthLDAPURL "ldap://localhost/dc=example?uid"
AuthLDAPBindDN "cn=admin,dc=example"
AuthLDAPBindPassword "test123"
AuthLDAPGroupAttribute uniqueMember
Require ldap-group cn=user,ou=groups,dc=example
</Location>
<Location "/admin-panel">
Require ldap-group cn=admin,ou=groups,dc=example
</Location>
</VirtualHost>
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.