Apache 2.0.39 + ssl + ldap with client certificate authentication

Apache 2.0.39 + ssl + ldap with client certificate authentication

Post by sarat » Mon, 30 Sep 2002 18:10:19



Dear group,
Has anybody tried doing ldap client certificate authentication for an apache
2.0.39 ssl server ?

Our environment is :
RedHat linux 7.1 kernel 2.4.x
apache 2.0.39 (inc. mod_ssl)
openssl-engine-0.9.6g
openldap (on a different redhat linux server)

The apache website has a verisign server certificate, a self-signed CA
certificate and all clients have
certificates in the ldap server signed by this CA.

When clients present their certificate to browse the Apache secure site,
Apache should check the
existence of their certificate in the LDAP server and also the validity of
the contents of the certificate presented.

Kindly provide some direction to any solution or resources related to this
issue.

Any help would be highly appreciated.

TIA
Sarath

 
 
 

Apache 2.0.39 + ssl + ldap with client certificate authentication

Post by TuxPenguin4Yo » Mon, 30 Sep 2002 19:42:19



Quote:> Dear group,
> Has anybody tried doing ldap client certificate authentication for an
apache
> 2.0.39 ssl server ?

> Our environment is :
> RedHat linux 7.1 kernel 2.4.x
> apache 2.0.39 (inc. mod_ssl)
> openssl-engine-0.9.6g
> openldap (on a different redhat linux server)

> The apache website has a verisign server certificate, a self-signed CA
> certificate and all clients have
> certificates in the ldap server signed by this CA.

> When clients present their certificate to browse the Apache secure site,
> Apache should check the
> existence of their certificate in the LDAP server and also the validity of
> the contents of the certificate presented.

> Kindly provide some direction to any solution or resources related to this
> issue.

> Any help would be highly appreciated.

> TIA
> Sarath

1. use the normal openssl version, NOT the engine version, also RH7.1 is
0.9.6-engine default
2. use 2.0.42
3. stop using kernel 2.4.3

 
 
 

Apache 2.0.39 + ssl + ldap with client certificate authentication

Post by sarat » Mon, 30 Sep 2002 23:44:03


we used openssl-engine-0.9.6g because, thats the latest stable version and
also because
we needed the engine version to support pci accelerator card.

our main issue is with the module - mod_authz_ldap
(http://authzldap.othello.ch/) which is needed
to check the client certificates with ldap directory entries.
to install this mod_authz_ldap, it is necessary to apply a patch
(http://authzldap.othello.ch/modssl-patch.html)
to mod_ssl.
at present, the first obstacle is i am unable to apply this patch to the
ssl_engine_kernel.c file.
i would like to know, how to apply this patch or i would like to get the
patched ssl_engine_kernel.c
which i can use directly.

thanx
sarath




> > Dear group,
> > Has anybody tried doing ldap client certificate authentication for an
> apache
> > 2.0.39 ssl server ?

> > Our environment is :
> > RedHat linux 7.1 kernel 2.4.x
> > apache 2.0.39 (inc. mod_ssl)
> > openssl-engine-0.9.6g
> > openldap (on a different redhat linux server)

> > The apache website has a verisign server certificate, a self-signed CA
> > certificate and all clients have
> > certificates in the ldap server signed by this CA.

> > When clients present their certificate to browse the Apache secure site,
> > Apache should check the
> > existence of their certificate in the LDAP server and also the validity
of
> > the contents of the certificate presented.

> > Kindly provide some direction to any solution or resources related to
this
> > issue.

> > Any help would be highly appreciated.

> > TIA
> > Sarath

> 1. use the normal openssl version, NOT the engine version, also RH7.1 is
> 0.9.6-engine default
> 2. use 2.0.42
> 3. stop using kernel 2.4.3

 
 
 

Apache 2.0.39 + ssl + ldap with client certificate authentication

Post by TuxPenguin4Yo » Tue, 01 Oct 2002 08:35:38



> we used openssl-engine-0.9.6g because, thats the latest stable version and
> also because
> we needed the engine version to support pci accelerator card.

> our main issue is with the module - mod_authz_ldap
> (http://authzldap.othello.ch/) which is needed
> to check the client certificates with ldap directory entries.
> to install this mod_authz_ldap, it is necessary to apply a patch
> (http://authzldap.othello.ch/modssl-patch.html)
> to mod_ssl.
> at present, the first obstacle is i am unable to apply this patch to the
> ssl_engine_kernel.c file.
> i would like to know, how to apply this patch or i would like to get the
> patched ssl_engine_kernel.c
> which i can use directly.

> thanx
> sarath





> > > Dear group,
> > > Has anybody tried doing ldap client certificate authentication for an
> > apache
> > > 2.0.39 ssl server ?

> > > Our environment is :
> > > RedHat linux 7.1 kernel 2.4.x
> > > apache 2.0.39 (inc. mod_ssl)
> > > openssl-engine-0.9.6g
> > > openldap (on a different redhat linux server)

> > > The apache website has a verisign server certificate, a self-signed CA
> > > certificate and all clients have
> > > certificates in the ldap server signed by this CA.

> > > When clients present their certificate to browse the Apache secure
site,
> > > Apache should check the
> > > existence of their certificate in the LDAP server and also the
validity
> of
> > > the contents of the certificate presented.

> > > Kindly provide some direction to any solution or resources related to
> this
> > > issue.

> > > Any help would be highly appreciated.

> > > TIA
> > > Sarath

> > 1. use the normal openssl version, NOT the engine version, also RH7.1 is
> > 0.9.6-engine default
> > 2. use 2.0.42
> > 3. stop using kernel 2.4.3

to apply a patch:

patch -p0 < filename.patch

 
 
 

1. Apache with SSL Client Authentication; per-directory access based upon DN in certificates

Hi all.

Have set up an Apache server in OpenBSD, with SSL and SSL client
authentication using certificates.

The idea is that the DN of the end user's certificate will form the
basis for what he/she can or cannot see on the server.

Using the lines below in httpd.conf, works fine:
<Location /project/>
SSLVerifyClient require
SSLVerifyDepth 2
SSLRequire %{SSL_CIPHER} !~ m/^(EXP|NULL)-/ \
            and  (%{SSL_CLIENT_S_DN_O} eq "MYCOMPANY" OR
%{SSL_CLIENT_S_DN_O} eq "OTHERCOMPANY")
</Location>

...only end users who are employees in MYCOMPANY or OTHERCOMPANY will
be able to access the directory /project/ ; everyone else get the 403
FORBIDDEN error.

Trouble is, if I, say, have *two* directories, /projects/ and
/internal/, with the /internal/ conf being identical to the /project/
conf above, (minus OTHERCOMPANY) *nothing* works - everyone is
suddenly able to access everything...

Any ideas?

TIA
Ken M.

2. X LessTif/MOTIF CD Play 1.7 Control Panel

3. Can't convert my netscape ssl certificate for use with Apache-SSL

4. [RFC] numa slab for 2.5.41-mm1

5. ldap authentication of a certificate for apache

6. Shared lib's at runtime

7. Apache with ldap authentication over ssl

8. Top 10 subjects comp.unix.shell

9. Create SSL *client* certificate to be used in Apache 2

10. Apache-SSL and Netscape Client Certificates

11. Old machine Tomcat+SSL, new machine Apache+SSL - new certificates needed?

12. Apache-SSL and problems with SSL certificate

13. Can't make certificates for Apache-SSL