LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 06-09-2017, 05:03 AM   #1
Arkyo
LQ Newbie
 
Registered: Jun 2017
Posts: 2

Rep: Reputation: Disabled
How to configure Apache to make him check the client certificate with the one in LDAP?


Hi everyone,

I’m trying to configure my Apache server for an HTTPS authentication with client certificates using LDAP as my users directory.


What I want to do is that Apache asks users to authenticate themselves with a certificate (so without a login/password) and then Apache has to check it in the LDAP : if the certificate provided by the user is valid then Apache will return “it works” otherwise it will return a 401 authorization required.

What I have done so far is : secure the connection between users and Apache and between Apache and LDAP. The user also provides his certificate to Apache when he tries to authenticate himself. My problem is that the user provides a certificate to Apache but Apache doesn’t check if the certificate provided by the user match with the one associated to the user in the LDAP directory.

The version I use for Apache is the 2.2.32 and for OpenLDAP it is the 2.4.40, both on CentOS 7.2.
I have also tried the module "mod_authz_ldap" on Apache following this link http://authzldap.othello.ch/configuration.html but it doesn't work so i'm out of ideas.

Here is my configuration file :

<VirtualHost *:443>
LogLevel debug
SSLEngine on
SSLCertificateKeyFile /usr/local/apache2/certs/apache.pem
SSLCertificateFile /usr/local/apache2/certs/apache.crt
SSLCACertificateFile /usr/local/apache2/certs/CA.crt
SSLVerifyDepth 10
SSLVerifyClient require
SSLProtocol all -SSLv3 -SSLv2

<Directory /usr/local/apache2/htdocs>
#AuthType Basic
#AuthName "Authorized Personnel Only"
#AuthLDAPBindDN "cn=ldapadm,dc=ldap,dc=domain"
#AuthLDAPBindPassword "password*"
#AuthBasicProvider ldap
#AuthLDAPURL "ldap://ldap.com/ou=People,dc=ldap,dc=domain?uid" STARTTLS
#AuthzLDAPAuthoritative off
#Require valid-user

SSLRequireSSL
AuthName "Authorized Personnel Only"
AuthType Basic
AuthzLDAPServer "ldap.com:389"
AuthzLDAPMethod certificate
AuthzLDAPMapMethod issuersubject
AuthUserFile /dev/null
AuthzLDAPMapBase "ou=People,dc=ldap,dc=domain"
AuthzLDAPMapScope onelevel
require valid-user

</Directory>

</VirtualHost>

Anyone has an idea?

Thanks in advance,
Arkyo
 
Old 06-10-2017, 03:04 AM   #2
AwesomeMachine
LQ Guru
 
Registered: Jan 2005
Location: USA and Italy
Distribution: Debian testing/sid; OpenSuSE; Fedora; Mint
Posts: 5,513

Rep: Reputation: 1009Reputation: 1009Reputation: 1009Reputation: 1009Reputation: 1009Reputation: 1009Reputation: 1009Reputation: 1009
Hi Arkyo,

Welcome to LQ!

Try this: http://tldp.org/HOWTO/Apache-WebDAV-...WTO/index.html

Last edited by AwesomeMachine; 06-10-2017 at 03:05 AM.
 
Old 06-12-2017, 02:59 AM   #3
Arkyo
LQ Newbie
 
Registered: Jun 2017
Posts: 2

Original Poster
Rep: Reputation: Disabled
Hi AwesomeMachine,

Thanks for your reply !

I have read your link but i don't think it corresponds to what i try to achieve. If i understood correctly, it explains the steps to secure the connection between Apache and LDAP with certificates, what i have already done more or less. My problem is when a user "toto" tries to authenticate himself on Apache (the user "toto" sends his certificate through the browser), Apache do not check in the LDAP directory if the certificate sent by the user "toto" matches with the one stored in the "toto.ldif" (in the line "userCertificate"). As a result, in Apache logs, it says that the authentication failed or it can't find the user "toto".
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Setting up apache httpd to use client certificate in combination with ldap Ramurd Linux - Server 2 12-08-2015 07:08 AM
Best way to create a SSL/TLS certificate to connect the LDAP Client rgtruss Linux - Newbie 1 11-08-2012 08:00 AM
apache and client certificate Felipe Linux - Server 0 03-29-2012 06:08 PM
TLS/SSl client certificate creation for LDAP. sheelavantar Linux - Server 2 09-20-2011 09:35 PM
Apache client certificate for each user hardigunawan Linux - General 1 01-22-2003 03:44 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 05:56 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration