SSLusername

------=_Part_8104_12555214.1214842995140
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Hi,

I'm working with mod_authnz_ldap, mod_ssl authenticating with certificates
and I've got some questions.
This is my situation (some directives are omitted)

------------------------------------------------------------ ------------------------------------
SSLVerifyClient require
SSLOptions +ExportCertData +StdEnvVars +StrictRequire +FakeBasicAuth

<Location /private>
SSLRequireSSL
AuthType basic
AuthName "private area"
AuthzLDAPAuthoritative off
AuthBasicProvider ldap
AuthLDAPBindDN uid=myuser,dc=example,dc=com
AuthLDAPBindPassword mypassword
AuthLDAPUrl "
ldap://myldaphost:389/ou=users,dc=example,dc=com?subjectDN?s ub?(objectclass=<ldap://myldaphost:389/ou=users,dc=example,dc=com?subjectDN?sub?(objectclass>
*)"
Require ldap-attribute employeeType=active
</Location>
------------------------------------------------------------ ------------------------------------

This configuration is working, the user in found in LDAP searching for his
"subjectDN", as set by the option "+FakeBasicAuth", but I want to make the
LDAP SEARCH not with the subjectDN, but other fields of the certificate.

If I use these options:
------------------------------------------------------------ ------------------------------------
SSLVerifyClient require
SSLUserName SSL_CLIENT_S_DN_CN
SSLOptions +ExportCertData +StdEnvVars +StrictRequire -FakeBasicAuth

<Location /private>
SSLRequireSSL
AuthType basic
AuthName "private area"
AuthzLDAPAuthoritative off
AuthBasicProvider ldap
AuthLDAPBindDN uid=myuser,dc=example,dc=com
AuthLDAPBindPassword mypassword
AuthLDAPUrl "
ldap://myldaphost:389/ou=users,dc=example,dc=com?cn?sub?(obj ectclass=*)"
Require ldap-attribute employeeType=active
</Location>
------------------------------------------------------------ ------------------------------------

The mod_ssl does his work, as in my log files I see the "CN" logges as "%u",
but as soon as I call "/private", the "%u" becomes an empty variable and I
can't use it in the next authentication module.
Is there something I'm missing?

Second question is: is it possible to use Environment variables in the
directives AuthLDAPUrl, "require ldap-filter" or "require ldap-attribute"?
Something like this:
------------------------------------------------------------ ------------------------------------
AuthLDAPUrl "
ldap://myldaphost:389/ou=users,dc=example,dc=com?subjectDN?s ub?(mail=%{SSL_CLIENT_S_DN_Email
)"
or
Require ldap-filter
"(&(mail=%{SSL_CLIENT_S_DN_Email})(CN=%{SSL_CLIENT_S_DN_CN}) )"
or
Require ldap-attribute mail=%{SSL_CLIENT_S_DN_Email}
------------------------------------------------------------ ------------------------------------

Last question is: As described in
http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#ssloptions , regarding
"fakebasicauth", the password for the user must be set to "password", is it
strictly necessary? or is there a way to set a different password, or
verify issuerDN and subjectDN, against a fake password?

------=_Part_8104_12555214.1214842995140
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

<div>Hi, <br><br>I'm working with mod_authnz_ldap, mod_ssl authenticating with certificates and I've got some questions.</div>
<div>This is my situation (some directives are omitted)</div>
<div> </div>
<div> ------------------------------------------------------------ ------------------------------------</div>
<div>SSLVerifyClient require</div>
<div>SSLOptions +ExportCertData +StdEnvVars +StrictRequire +FakeBasicAuth</div>
<div> </div>
<div><Location /private></div>
<div>        SSLRequireSSL</div>
<div>        AuthType basic<br>        AuthName "private area"<br>        AuthzLDAPAuthoritative off</div>
<div>        AuthBasicProvider       ldap<br>        AuthLDAPBindDN          uid=myuser,dc=example,dc=com</div>
<div>        AuthLDAPBindPassword    mypassword</div>
<div>        AuthLDAPUrl             " ldap://myldaphost:389/ou=users,dc=example,dc=com?subjectDN?s ub?(objectclass=*)"</div>

<div>        Require ldap-attribute employeeType=active</div>
<div></Location></div>
<div> ------------------------------------------------------------ ------------------------------------</div>
<div> </div>
<div>This configuration is working, the user in found in LDAP searching for his "subjectDN", as set by the option "+FakeBasicAuth", but I want to make the LDAP SEARCH not with the subjectDN, but other fields of the certificate. </div>

<div> </div>
<div>If I use these options:</div>
<div> ------------------------------------------------------------ ------------------------------------</div>
<div>SSLVerifyClient require</div>
<div>
<div>SSLUserName SSL_CLIENT_S_DN_CN </div>
<div>SSLOptions +ExportCertData +StdEnvVars +StrictRequire -FakeBasicAuth</div>
<div> </div>
<div><Location /private></div>
<div>        SSLRequireSSL</div>
<div>        AuthType basic<br>        AuthName "private area"<br>        AuthzLDAPAuthoritative off</div>
<div>        AuthBasicProvider       ldap<br>        AuthLDAPBindDN          uid=myuser,dc=example,dc=com</div>
<div>        AuthLDAPBindPassword    mypassword</div>
<div>        AuthLDAPUrl             " ldap://myldaphost:389/ou=users,dc=example,dc=com?cn?sub?(obj ectclass=*)"</div>
<div>        Require ldap-attribute employeeType=active</div>
<div></Location></div></div>
<div> ------------------------------------------------------------ ------------------------------------</div>
<div> </div>
<div>The mod_ssl does his work, as in my log files I see the "CN" logges as "%u", but as soon as I call "/private", the "%u" becomes an empty variable and I can't use it in the next authentication module. </div>

<div>Is there something I'm missing?  </div>
<div> </div>
<div>Second question is: is it possible to use Environment variables in the directives AuthLDAPUrl, "require ldap-filter" or "require ldap-attribute"? </div>
<div>Something like this:</div> ------------------------------------------------------------ ------------------------------------
<div>AuthLDAPUrl             " ldap://myldaphost:389/ou=users,dc=example,dc=com?subjectDN?s ub?(mail=%{SSL_CLIENT_S_DN_Email)"</div>

<div>or</div>
<div>Require ldap-filter " (&(mail=%{SSL_CLIENT_S_DN_Email})(CN=%{SSL_CLIENT_S_DN_C N})) " </div>
<div>or </div>
<div>Require ldap-attribute mail=%{SSL_CLIENT_S_DN_Email}</div>
<div> ------------------------------------------------------------ ------------------------------------</div>
<div> </div>
<div>Last question is: As described in http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#ssloptions, regarding "fakebasicauth", the password for the user must be set to "password", is it strictly necessary? or is there a way to set a different password, or verify issuerDN and subjectDN, against a fake password? </div>

------=_Part_8104_12555214.1214842995140--
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users [at] modssl.org
Automated List Manager majordomo [at] modssl.org