stackoom
  简体   繁体   中英

Apache client certificate authentication with LDAP authorization

 原文  2018-08-10 19:10:39       apache/ authentication/ ldap/ authorization/ ssl-certificate

Question

For Apache, I'm trying to authenticate users with client certificates, and authorize them using LDAP groups. So far I have this:

# Apache 2.4.6

LoadModule ssl_module modules/mod_ssl.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so

Listen 9999
<VirtualHost *:9999>
    ServerName example
    SSLEngine on
    SSLCertificateFile /etc/ssl/certs/server.crt
    SSLCertificateKeyFile /etc/ssl/certs/server.key
    SSLCACertificateFile /etc/ssl/certs/ca.crt
    SSLVerifyClient require
    SSLVerifyDepth 1
    SSLOptions +FakeBasicAuth

    <Location /test/>
        # SSLUserName SSL_CLIENT_S_DN_CN
        # AuthBasicFake "%{SSL_CLIENT_S_DN_CN}"
        AuthType basic
        AuthName "Cert"
        AuthBasicProvider ldap

        AuthLDAPURL "ldap://localhost/dc=example?uid"
        AuthLDAPBindDN "cn=admin,dc=example"
        AuthLDAPBindPassword "test123"
        AuthLDAPGroupAttribute uniqueMember

        Require ldap-group cn=admin,ou=groups,dc=example
    </Location>
</VirtualHost>

It works for the most part, however the username ends up as /C=XX/L=Default City/O=Default Company Ltd/CN=testuser (ie the full DN from the X.509 subject field), while I want it to be just testuser (ie just the CN, SSL_CLIENT_S_DN_CN ).

I tried using the AuthBasicFake directive, which seems to be just what I need, however the username field is always empty. Any suggestions?

1 answers

solution1
 2  2018-08-22 16:01:35

I got this to work with the following configuration. Only users with a key pair signed by the cert in SSLCACertificateFile will be able to authenticate. In my LDAP, all users belong to the cn=user,ou=groups,dc=example group, and can access the entire site by default. However, some users also belong to cn=admin,ou=groups,dc=example , which will give them access to /admin-panel .

LoadModule ssl_module modules/mod_ssl.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so

Listen 9999
<VirtualHost *:9999>
    ServerName www.example.com
    SSLEngine on
    SSLCertificateFile /etc/ssl/certs/server.crt
    SSLCertificateKeyFile /etc/ssl/certs/server.key
    SSLCACertificateFile /etc/ssl/certs/ca.crt
    SSLVerifyClient require
    SSLVerifyDepth 1
    SSLUserName SSL_CLIENT_S_DN_CN

    <Location />
        AuthType basic
        AuthName "Cert"
        AuthBasicProvider ldap

        AuthLDAPURL "ldap://localhost/dc=example?uid"
        AuthLDAPBindDN "cn=admin,dc=example"
        AuthLDAPBindPassword "test123"
        AuthLDAPGroupAttribute uniqueMember

        Require ldap-group cn=user,ou=groups,dc=example
    </Location>

    <Location "/admin-panel">
        Require ldap-group cn=admin,ou=groups,dc=example
    </Location>
</VirtualHost>

solution2
 -4  2022-01-06 17:07:08

我有类似的要求,我在这里发布了一个问题,您可以回复https://serverfault.com/questions/1089176/configuring-cert-based-and-ldap-authorization-in-apache-virtual-host

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Apache Shiro - LDAP for Authentication and Properties/Ini for Authorization Apache, SSL Client certificate, LDAP authorizations Certificate Authentication and Authorization with Apache from a Java Application How to add role authorization using Apache Shiro with LDAP Authentication How to use client certificates in Apache httpd to connect to an LDAP for authorization? How to do client certificate authentication with Apache Configure Apache Client Certificate Authentication for proxy LDAP authentication in java with apache LDAP apache client authentication - set fingerprint of client certificate as header value Ldap authentication in apache linux
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM