Help answer threads with 0 replies.
Go Back > Forums > Linux Forums > Linux - Newbie
User Name
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!


  Search this Thread
Old 06-09-2017, 05:03 AM   #1
LQ Newbie
Registered: Jun 2017
Posts: 2

Rep: Reputation: Disabled
How to configure Apache to make him check the client certificate with the one in LDAP?

Hi everyone,

I’m trying to configure my Apache server for an HTTPS authentication with client certificates using LDAP as my users directory.

What I want to do is that Apache asks users to authenticate themselves with a certificate (so without a login/password) and then Apache has to check it in the LDAP : if the certificate provided by the user is valid then Apache will return “it works” otherwise it will return a 401 authorization required.

What I have done so far is : secure the connection between users and Apache and between Apache and LDAP. The user also provides his certificate to Apache when he tries to authenticate himself. My problem is that the user provides a certificate to Apache but Apache doesn’t check if the certificate provided by the user match with the one associated to the user in the LDAP directory.

The version I use for Apache is the 2.2.32 and for OpenLDAP it is the 2.4.40, both on CentOS 7.2.
I have also tried the module "mod_authz_ldap" on Apache following this link but it doesn't work so i'm out of ideas.

Here is my configuration file :

<VirtualHost *:443>
LogLevel debug
SSLEngine on
SSLCertificateKeyFile /usr/local/apache2/certs/apache.pem
SSLCertificateFile /usr/local/apache2/certs/apache.crt
SSLCACertificateFile /usr/local/apache2/certs/CA.crt
SSLVerifyDepth 10
SSLVerifyClient require
SSLProtocol all -SSLv3 -SSLv2

<Directory /usr/local/apache2/htdocs>
#AuthType Basic
#AuthName "Authorized Personnel Only"
#AuthLDAPBindDN "cn=ldapadm,dc=ldap,dc=domain"
#AuthLDAPBindPassword "password*"
#AuthBasicProvider ldap
#AuthLDAPURL "ldap://,dc=ldap,dc=domain?uid" STARTTLS
#AuthzLDAPAuthoritative off
#Require valid-user

AuthName "Authorized Personnel Only"
AuthType Basic
AuthzLDAPServer ""
AuthzLDAPMethod certificate
AuthzLDAPMapMethod issuersubject
AuthUserFile /dev/null
AuthzLDAPMapBase "ou=People,dc=ldap,dc=domain"
AuthzLDAPMapScope onelevel
require valid-user



Anyone has an idea?

Thanks in advance,
Old 06-10-2017, 03:04 AM   #2
LQ Guru
Registered: Jan 2005
Location: USA and Italy
Distribution: Debian testing/sid; OpenSuSE; Fedora; Mint
Posts: 5,524

Rep: Reputation: 1015Reputation: 1015Reputation: 1015Reputation: 1015Reputation: 1015Reputation: 1015Reputation: 1015Reputation: 1015
Hi Arkyo,

Welcome to LQ!

Try this:

Last edited by AwesomeMachine; 06-10-2017 at 03:05 AM.
Old 06-12-2017, 02:59 AM   #3
LQ Newbie
Registered: Jun 2017
Posts: 2

Original Poster
Rep: Reputation: Disabled
Hi AwesomeMachine,

Thanks for your reply !

I have read your link but i don't think it corresponds to what i try to achieve. If i understood correctly, it explains the steps to secure the connection between Apache and LDAP with certificates, what i have already done more or less. My problem is when a user "toto" tries to authenticate himself on Apache (the user "toto" sends his certificate through the browser), Apache do not check in the LDAP directory if the certificate sent by the user "toto" matches with the one stored in the "toto.ldif" (in the line "userCertificate"). As a result, in Apache logs, it says that the authentication failed or it can't find the user "toto".


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Setting up apache httpd to use client certificate in combination with ldap Ramurd Linux - Server 2 12-08-2015 07:08 AM
Best way to create a SSL/TLS certificate to connect the LDAP Client rgtruss Linux - Newbie 1 11-08-2012 08:00 AM
apache and client certificate Felipe Linux - Server 0 03-29-2012 06:08 PM
TLS/SSl client certificate creation for LDAP. sheelavantar Linux - Server 2 09-20-2011 09:35 PM
Apache client certificate for each user hardigunawan Linux - General 1 01-22-2003 03:44 AM > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 07:28 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration