How to configure Apache to make him check the client certificate with the one in LDAP?

Arkyo · 06-09-2017, 05:03 AM

Hi everyone,

I’m trying to configure my Apache server for an HTTPS authentication with client certificates using LDAP as my users directory.

What I want to do is that Apache asks users to authenticate themselves with a certificate (so without a login/password) and then Apache has to check it in the LDAP : if the certificate provided by the user is valid then Apache will return “it works” otherwise it will return a 401 authorization required.

What I have done so far is : secure the connection between users and Apache and between Apache and LDAP. The user also provides his certificate to Apache when he tries to authenticate himself. My problem is that the user provides a certificate to Apache but Apache doesn’t check if the certificate provided by the user match with the one associated to the user in the LDAP directory.

The version I use for Apache is the 2.2.32 and for OpenLDAP it is the 2.4.40, both on CentOS 7.2.
I have also tried the module "mod_authz_ldap" on Apache following this link http://authzldap.othello.ch/configuration.html but it doesn't work so i'm out of ideas.

Here is my configuration file :

<VirtualHost *:443>
LogLevel debug
SSLEngine on
SSLCertificateKeyFile /usr/local/apache2/certs/apache.pem
SSLCertificateFile /usr/local/apache2/certs/apache.crt
SSLCACertificateFile /usr/local/apache2/certs/CA.crt
SSLVerifyDepth 10
SSLVerifyClient require
SSLProtocol all -SSLv3 -SSLv2

<Directory /usr/local/apache2/htdocs>
#AuthType Basic
#AuthName "Authorized Personnel Only"
#AuthLDAPBindDN "cn=ldapadm,dc=ldap,dc=domain"
#AuthLDAPBindPassword "password*"
#AuthBasicProvider ldap
#AuthLDAPURL "ldap://ldap.com/ou=People,dc=ldap,dc=domain?uid" STARTTLS
#AuthzLDAPAuthoritative off
#Require valid-user

SSLRequireSSL
AuthName "Authorized Personnel Only"
AuthType Basic
AuthzLDAPServer "ldap.com:389"
AuthzLDAPMethod certificate
AuthzLDAPMapMethod issuersubject
AuthUserFile /dev/null
AuthzLDAPMapBase "ou=People,dc=ldap,dc=domain"
AuthzLDAPMapScope onelevel
require valid-user

</Directory>

</VirtualHost>

Anyone has an idea?

Thanks in advance,
Arkyo

AwesomeMachine · 06-10-2017, 03:04 AM

Hi Arkyo,

Welcome to LQ!

Try this: http://tldp.org/HOWTO/Apache-WebDAV-...WTO/index.html

Arkyo · 06-12-2017, 02:59 AM

Hi AwesomeMachine,

Thanks for your reply !

I have read your link but i don't think it corresponds to what i try to achieve. If i understood correctly, it explains the steps to secure the connection between Apache and LDAP with certificates, what i have already done more or less. My problem is when a user "toto" tries to authenticate himself on Apache (the user "toto" sends his certificate through the browser), Apache do not check in the LDAP directory if the certificate sent by the user "toto" matches with the one stored in the "toto.ldif" (in the line "userCertificate"). As a result, in Apache logs, it says that the authentication failed or it can't find the user "toto".