Hi everyone,
I’m trying to configure my Apache server for an HTTPS authentication with client certificates using LDAP as my users directory.
What I want to do is that Apache asks users to authenticate themselves with a certificate (so without a login/password) and then Apache has to check it in the LDAP : if the certificate provided by the user is valid then Apache will return “it works” otherwise it will return a 401 authorization required.
What I have done so far is : secure the connection between users and Apache and between Apache and LDAP. The user also provides his certificate to Apache when he tries to authenticate himself. My problem is that the user provides a certificate to Apache but Apache doesn’t check if the certificate provided by the user match with the one associated to the user in the LDAP directory.
The version I use for Apache is the 2.2.32 and for OpenLDAP it is the 2.4.40, both on CentOS 7.2.
I have also tried the module "mod_authz_ldap" on Apache following this link
http://authzldap.othello.ch/configuration.html but it doesn't work so i'm out of ideas.
Here is my configuration file :
<VirtualHost *:443>
LogLevel debug
SSLEngine on
SSLCertificateKeyFile /usr/local/apache2/certs/apache.pem
SSLCertificateFile /usr/local/apache2/certs/apache.crt
SSLCACertificateFile /usr/local/apache2/certs/CA.crt
SSLVerifyDepth 10
SSLVerifyClient require
SSLProtocol all -SSLv3 -SSLv2
<Directory /usr/local/apache2/htdocs>
#AuthType Basic
#AuthName "Authorized Personnel Only"
#AuthLDAPBindDN "cn=ldapadm,dc=ldap,dc=domain"
#AuthLDAPBindPassword "password*"
#AuthBasicProvider ldap
#AuthLDAPURL "ldap://ldap.com/ou=People,dc=ldap,dc=domain?uid" STARTTLS
#AuthzLDAPAuthoritative off
#Require valid-user
SSLRequireSSL
AuthName "Authorized Personnel Only"
AuthType Basic
AuthzLDAPServer "ldap.com:389"
AuthzLDAPMethod certificate
AuthzLDAPMapMethod issuersubject
AuthUserFile /dev/null
AuthzLDAPMapBase "ou=People,dc=ldap,dc=domain"
AuthzLDAPMapScope onelevel
require valid-user
</Directory>
</VirtualHost>
Anyone has an idea?
Thanks in advance,
Arkyo