Apache with SSL Client Authentication; per-directory access based upon DN in certificates

Apache with SSL Client Authentication; per-directory access based upon DN in certificates

Post by Ken » Thu, 14 Jun 2001 20:50:23



Hi all.

Have set up an Apache server in OpenBSD, with SSL and SSL client
authentication using certificates.

The idea is that the DN of the end user's certificate will form the
basis for what he/she can or cannot see on the server.

Using the lines below in httpd.conf, works fine:
<Location /project/>
SSLVerifyClient require
SSLVerifyDepth 2
SSLRequire %{SSL_CIPHER} !~ m/^(EXP|NULL)-/ \
            and  (%{SSL_CLIENT_S_DN_O} eq "MYCOMPANY" OR
%{SSL_CLIENT_S_DN_O} eq "OTHERCOMPANY")
</Location>

...only end users who are employees in MYCOMPANY or OTHERCOMPANY will
be able to access the directory /project/ ; everyone else get the 403
FORBIDDEN error.

Trouble is, if I, say, have *two* directories, /projects/ and
/internal/, with the /internal/ conf being identical to the /project/
conf above, (minus OTHERCOMPANY) *nothing* works - everyone is
suddenly able to access everything...

Any ideas?

TIA
Ken M.

 
 
 

1. Apache 2.0.39 + ssl + ldap with client certificate authentication

Dear group,
Has anybody tried doing ldap client certificate authentication for an apache
2.0.39 ssl server ?

Our environment is :
RedHat linux 7.1 kernel 2.4.x
apache 2.0.39 (inc. mod_ssl)
openssl-engine-0.9.6g
openldap (on a different redhat linux server)

The apache website has a verisign server certificate, a self-signed CA
certificate and all clients have
certificates in the ldap server signed by this CA.

When clients present their certificate to browse the Apache secure site,
Apache should check the
existence of their certificate in the LDAP server and also the validity of
the contents of the certificate presented.

Kindly provide some direction to any solution or resources related to this
issue.

Any help would be highly appreciated.

TIA
Sarath

2. raid 5 and freebsd

3. Create SSL *client* certificate to be used in Apache 2

4. web page maker for linux?

5. Apache-SSL and Netscape Client Certificates

6. Remotely mount CDWRITER

7. Old machine Tomcat+SSL, new machine Apache+SSL - new certificates needed?

8. ELM BINARIES FOR SCO 3.2r4.2

9. Can't convert my netscape ssl certificate for use with Apache-SSL

10. Apache-SSL and problems with SSL certificate

11. Q: Per-directory access control

12. Apache and per-directory customised error responses

13. Per-Directory and Per-Server info.