Here a little doc about how to authenticate apache2 users with X509 certificates and doing LDAP authorization.
====Requirements====
**Note:** I made this test with a Debian sid.
# apt-get install apache2-mpm-prefork libldap-dev libssl-dev apache2-threaded-dev
====Build====
Download the module XAuthLDAP (available [[http://www.urec.cnrs.fr/Distributions/modXLdapAuth/|here]]) and build it :
# ./configure --with-apxs=/usr/bin/apxs2 --with-ldap-dir=/usr --with-openssl=/usr
# make
# sudo make install
====Configure====
Note that apxs2 doesn't update my apache2.conf, so create a file ///etc/apache2/mods-available/xauth.load// with :
LoadModule XLDAPAuth_module /usr/lib/apache2/modules/modXLDAPAuth.so
====Usage====
//Apache config//
SSLVerifyClient require
SSLVerifyDepth 5
SSLOptions +FakeBasicAuth +CompatEnvVars +StrictRequire +StdEnvVars +ExportCertData
XLDAPAuthoritative on
XLDAPAuthServer ldap.solaris-fr.org
XLDAPAuthSuffix "ou=Extranet,dc=solaris-fr,dc=org"
XLDAPAuthFilter "(&(host=brack)(CN=%{SSL_CLIENT_S_DN_CN}))"
XLDAPAuthEnvName "Brack authentication"
XLDAPAuthRemoteUserAttr uid
//LDIF//
dn: cn=Bruno Bonfils,ou=Fimasys,ou=Extranet,dc=solaris-fr,dc=org
objectClass: account
objectClass: person
objectClass: top
cn: Bruno Bonfils
host: brack
sn: Bonfils
uid: asyd
====Description====
So, what happens ?
- The SSLVerifyClient mean the user who want access to location /brack need to have a certificate signed by the CA (the one pointed by the directive SSLCACertificatePath or SSLCACertificateFile). The SSLVerifyDepth is the number of subCA allowed.
- If the user have such certificate, the mod_ssl provides some variables (full list available [[http://httpd.apache.org/docs/2.0/mod/mod_ssl.html#envvars|here]]).
- Then, the module which query the LDAP, in my config I use the Common Name filtering plus the host attribut, which allow me to add/remove authorization for a particular vhost/location in a very easy way (for sure, host attribute can be multivalued). The XLDAPAuthRemoteUserAttr tell the module to use uid to fill the REMOTE_USER HTTP variable.