Here a little doc about how to authenticate apache2 users with X509 certificates and doing LDAP authorization. ====Requirements==== **Note:** I made this test with a Debian sid. # apt-get install apache2-mpm-prefork libldap-dev libssl-dev apache2-threaded-dev ====Build==== Download the module XAuthLDAP (available [[http://www.urec.cnrs.fr/Distributions/modXLdapAuth/|here]]) and build it : # ./configure --with-apxs=/usr/bin/apxs2 --with-ldap-dir=/usr --with-openssl=/usr # make # sudo make install ====Configure==== Note that apxs2 doesn't update my apache2.conf, so create a file ///etc/apache2/mods-available/xauth.load// with : LoadModule XLDAPAuth_module /usr/lib/apache2/modules/modXLDAPAuth.so ====Usage==== //Apache config// SSLVerifyClient require SSLVerifyDepth 5 SSLOptions +FakeBasicAuth +CompatEnvVars +StrictRequire +StdEnvVars +ExportCertData XLDAPAuthoritative on XLDAPAuthServer ldap.solaris-fr.org XLDAPAuthSuffix "ou=Extranet,dc=solaris-fr,dc=org" XLDAPAuthFilter "(&(host=brack)(CN=%{SSL_CLIENT_S_DN_CN}))" XLDAPAuthEnvName "Brack authentication" XLDAPAuthRemoteUserAttr uid //LDIF// dn: cn=Bruno Bonfils,ou=Fimasys,ou=Extranet,dc=solaris-fr,dc=org objectClass: account objectClass: person objectClass: top cn: Bruno Bonfils host: brack sn: Bonfils uid: asyd ====Description==== So, what happens ? - The SSLVerifyClient mean the user who want access to location /brack need to have a certificate signed by the CA (the one pointed by the directive SSLCACertificatePath or SSLCACertificateFile). The SSLVerifyDepth is the number of subCA allowed. - If the user have such certificate, the mod_ssl provides some variables (full list available [[http://httpd.apache.org/docs/2.0/mod/mod_ssl.html#envvars|here]]). - Then, the module which query the LDAP, in my config I use the Common Name filtering plus the host attribut, which allow me to add/remove authorization for a particular vhost/location in a very easy way (for sure, host attribute can be multivalued). The XLDAPAuthRemoteUserAttr tell the module to use uid to fill the REMOTE_USER HTTP variable.