Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Apache client certificate authentication with LDAP authorization

Tags:

authentication

ssl-certificate

apache

authorization

ldap

For Apache, I'm trying to authenticate users with client certificates, and authorize them using LDAP groups. So far I have this:

# Apache 2.4.6

LoadModule ssl_module modules/mod_ssl.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so

Listen 9999
<VirtualHost *:9999>
    ServerName example
    SSLEngine on
    SSLCertificateFile /etc/ssl/certs/server.crt
    SSLCertificateKeyFile /etc/ssl/certs/server.key
    SSLCACertificateFile /etc/ssl/certs/ca.crt
    SSLVerifyClient require
    SSLVerifyDepth 1
    SSLOptions +FakeBasicAuth

    <Location /test/>
        # SSLUserName SSL_CLIENT_S_DN_CN
        # AuthBasicFake "%{SSL_CLIENT_S_DN_CN}"
        AuthType basic
        AuthName "Cert"
        AuthBasicProvider ldap

        AuthLDAPURL "ldap://localhost/dc=example?uid"
        AuthLDAPBindDN "cn=admin,dc=example"
        AuthLDAPBindPassword "test123"
        AuthLDAPGroupAttribute uniqueMember

        Require ldap-group cn=admin,ou=groups,dc=example
    </Location>
</VirtualHost>

It works for the most part, however the username ends up as /C=XX/L=Default City/O=Default Company Ltd/CN=testuser (i.e. the full DN from the X.509 subject field), while I want it to be just testuser (i.e. just the CN, SSL_CLIENT_S_DN_CN).

I tried using the AuthBasicFake directive, which seems to be just what I need, however the username field is always empty. Any suggestions?

like image 996
luds Avatar asked Dec 06 '25 02:12

luds

1 Answers

I got this to work with the following configuration. Only users with a key pair signed by the cert in SSLCACertificateFile will be able to authenticate. In my LDAP, all users belong to the cn=user,ou=groups,dc=example group, and can access the entire site by default. However, some users also belong to cn=admin,ou=groups,dc=example, which will give them access to /admin-panel.

LoadModule ssl_module modules/mod_ssl.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so

Listen 9999
<VirtualHost *:9999>
    ServerName www.example.com
    SSLEngine on
    SSLCertificateFile /etc/ssl/certs/server.crt
    SSLCertificateKeyFile /etc/ssl/certs/server.key
    SSLCACertificateFile /etc/ssl/certs/ca.crt
    SSLVerifyClient require
    SSLVerifyDepth 1
    SSLUserName SSL_CLIENT_S_DN_CN

    <Location />
        AuthType basic
        AuthName "Cert"
        AuthBasicProvider ldap

        AuthLDAPURL "ldap://localhost/dc=example?uid"
        AuthLDAPBindDN "cn=admin,dc=example"
        AuthLDAPBindPassword "test123"
        AuthLDAPGroupAttribute uniqueMember

        Require ldap-group cn=user,ou=groups,dc=example
    </Location>

    <Location "/admin-panel">
        Require ldap-group cn=admin,ou=groups,dc=example
    </Location>
</VirtualHost>
like image 169
luds Avatar answered Dec 07 '25 17:12

luds

Sign in to Comment

Related questions

Did El Capitan DP8 Break Connections to LocalHost in MAMP PRO 3.4?
It seems that Set-Cookie having an expiration format Mon, 25 Sep 2017 13:40:02 GMT could not be parsed my apache http client

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!