Here a little doc about how to authenticate apache2 users with X509 certificates and doing LDAP authorization.

====Requirements====
**Note:** I made this test with a Debian sid.

<code>
# apt-get install apache2-mpm-prefork libldap-dev libssl-dev apache2-threaded-dev
</code>

====Build====

Download the module XAuthLDAP (available [[http://www.urec.cnrs.fr/Distributions/modXLdapAuth/|here]]) and build it :

<code>
# ./configure --with-apxs=/usr/bin/apxs2 --with-ldap-dir=/usr --with-openssl=/usr
# make
# sudo make install
</code>

====Configure====

Note that apxs2 doesn't update my apache2.conf, so create a file ///etc/apache2/mods-available/xauth.load// with :

<code>
LoadModule XLDAPAuth_module /usr/lib/apache2/modules/modXLDAPAuth.so
</code>

====Usage====

//Apache config//
<code>
        <Location /brack>
                SSLVerifyClient         require
                SSLVerifyDepth          5
                SSLOptions              +FakeBasicAuth +CompatEnvVars +StrictRequire +StdEnvVars +ExportCertData

                XLDAPAuthoritative      on
                XLDAPAuthServer         ldap.solaris-fr.org
                XLDAPAuthSuffix         "ou=Extranet,dc=solaris-fr,dc=org"
                XLDAPAuthFilter         "(&(host=brack)(CN=%{SSL_CLIENT_S_DN_CN}))"
                XLDAPAuthEnvName        "Brack authentication"
                XLDAPAuthRemoteUserAttr uid
        </Location>
</code>

//LDIF//

<code>
dn: cn=Bruno Bonfils,ou=Fimasys,ou=Extranet,dc=solaris-fr,dc=org
objectClass: account
objectClass: person
objectClass: top
cn: Bruno Bonfils
host: brack
sn: Bonfils
uid: asyd
</code>

====Description====

So, what happens ? 

   - The SSLVerifyClient mean the user who want access to location /brack need to have a certificate signed  by the CA (the one pointed by the directive SSLCACertificatePath or SSLCACertificateFile). The SSLVerifyDepth is the number of subCA allowed. 
   - If the user have such certificate, the mod_ssl provides some variables (full list available  [[http://httpd.apache.org/docs/2.0/mod/mod_ssl.html#envvars|here]]). 
   - Then, the module which query the LDAP, in my config I use the Common Name filtering plus the host attribut, which allow  me to add/remove authorization for a particular vhost/location in a very easy way (for sure, host attribute can be multivalued). The XLDAPAuthRemoteUserAttr tell the module to use uid to fill the REMOTE_USER HTTP variable.