Johannes.Mueller at eon-is
Jul 3, 2008, 11:21 PM
Post #1 of 12
(463 views)
Permalink
|
|
Client authorization against LDAP using client certificates
|
|
Hello,
we want to use client authorization against LDAP using client certificates on Apache webserver 2.2.
Unfortunately this is not possible with Apache webserver at the current state of development.
There have been third party modules (ModXAuthLDAP, mod_authz_ldap) in the past which did this task quite well.
But they haven’t been updated for years and therefore do not work with httpd newer than 2.0.
Therefore my company has put some effort in developing a reasonable solution for its needs.
Firstly let me describe why it is not possible for us to do this form of authorization with a default httpd.
The client connects using SSL and a client certificate. Mod_ssl receives the request and checks the validity of the certificate using CRLs. After that it sets the user field in the Apache request object to the cn of the certificate (SSLUserName SSL_CLIENT_S_DN_CN). Afterwards mod_auth_basic tries to authenticate the user against its configured provider, wich is LDAP in our case. This fails, because there is no password coming from the certificate, which is quite obvious.
As you can see the missing password in the authentication phase is our main problem.
We tried to use SSLOptions +FakeBasicAuth, but then we would have to set “password” as password for all users in our directory. This is definitely no solution.
Another solution we thought of was to just set the require directives, but the hook seems to never get called, because of the missing AuthType directive.
We have developed the following possible solutions, which involve changes to the apache source code.
I’d be interested in comments and my company would appreciate it, if a solution could be included in apache. I could also provide a patch.
Solution 1
Description
* Add a boolean directive AuthBasicUserFromCert to mod_auth_basic
* This should tell mod_auth_basic not to run the configured authentication provider if a remote user is set by mod_ssl
* If no user is set (client does not provide certificate), basic authentication is done
Implementation
* Register directive in mod_auth_basic.c
* Add branch in authentication function to return AUTH_GRANTED if directive and user is set
* Remove call to ap_note_auth_basic_failure() in mod_authnz_ldap.c to avoid password dialog although we have a certificate if authorization fails
Pros and cons
+ Fallback to basic authentication done easy
+ Does not conflict with AAA-model
+ No duplicate code as we don't have to duplicate basic auth functionality (compare solution 3)
- mod_authnz_ldap has to be modified, too. Maybe this is not needed in Apache 2.3/2.4, because the call has been removed.
Solution 2
Description
* Create new module mod_auth_cert which has to be hooked previous to mod_auth_basic
* This new module runs if AuthType is set to „Cert“ checks for the remote user to be set
* In case the user is set by mod_ssl, return OK
* Else fall back to basic authentication by calling mod_auth_basic somehow
* This can possibly be achieved by rewriting AuthType on the fly
Implementation
* Copy mod_auth_basic.c
* Rename to mod_auth_cert
* Remove needless code
* Register in hook previous to mod_auth_basic.c
* In case the user is set by mod_ssl, return OK
* Else change r→auth_type to „Basic“ ?? Did not work in tests!
Pros and cons
+ Very clean concerning the AAA-model, because mod_auth_basic has nothing to do with certificates in principle
+ No duplicate code as we don't have to duplicate basic auth functionality (compare solution 3)
- Dirty solution concerning rewriting the AuthType directive on the fly
- More difficult to implement
- Maybe impossible
Solution 3
Description
* Duplicate mod_auth_basic
* Call it mod_auth_cert
* Add new directives AuthType „Cert“ and AuthCertProvider
* If remote user is set by mod_ssl do not run authentication provider and return OK
* Else du basic authentication using the provider
Implementation
* Copy mod_auth_basic.c
* Rename to mod_auth_cert.c
* Rename directives
* Add branch in authentication function to return AUTH_GRANTED if directive and user is set
* Remove call to ap_note_auth_basic_failure() in mod_authnz_ldap.c to avoid password dialog although we have a certificate if authorization fails
Pros and cons
+ Fallback to basic authentication done easy
+ Very clean concerning the AAA-model, because mod_auth_basic has nothing to do with certificates in principle
- Otherwise dirty, because mod_auth_cert should have nothing to do with basic authentication, either
- mod_authnz_ldap has to be modified, too. Maybe this is not needed in Apache 2.3/2.4, because the call has been removed.
- Duplicate code
Freundliche Grüße/Kind regards
Johannes Müller
I/TS1A-G - Web Infrastructure
T +49 8 9-12 54 57 92
johannes.mueller[at]eon-is.com
E.ON IS GmbH
Blutenburgstraße 18
80636 München
www.eon-is.com
Vorsitzender des Aufsichtsrats/Chairman of the Supervisory Board:
Dr. Marcus Schenck Geschäftsführung/Managing Directors:
Werner Hecker (Vorsitzender/Chairman) Jörg Becker Damian
Bunyan Dr. Kai Pfitzner Dr. Jörg Zunft E.ON IS GmbH
Sitz/Registered Office Hannover Amtsgericht/District Court
Hannover HRB 57814
|
smime.p7s
