Here a little doc about how to authenticate apache2 users with X509 certificates and doing LDAP authorization.

Requirements

Note: I made this test with a Debian sid.

# apt-get install apache2-mpm-prefork libldap-dev libssl-dev apache2-threaded-dev

Build

Download the module XAuthLDAP (available here) and build it :

# ./configure --with-apxs=/usr/bin/apxs2 --with-ldap-dir=/usr --with-openssl=/usr
# make
# sudo make install

Configure

Note that apxs2 doesn't update my apache2.conf, so create a file /etc/apache2/mods-available/xauth.load with :

LoadModule XLDAPAuth_module /usr/lib/apache2/modules/modXLDAPAuth.so

Usage

Apache config

        <Location /brack>
                SSLVerifyClient         require
                SSLVerifyDepth          5
                SSLOptions              +FakeBasicAuth +CompatEnvVars +StrictRequire +StdEnvVars +ExportCertData

                XLDAPAuthoritative      on
                XLDAPAuthServer         ldap.solaris-fr.org
                XLDAPAuthSuffix         "ou=Extranet,dc=solaris-fr,dc=org"
                XLDAPAuthFilter         "(&(host=brack)(CN=%{SSL_CLIENT_S_DN_CN}))"
                XLDAPAuthEnvName        "Brack authentication"
                XLDAPAuthRemoteUserAttr uid
        </Location>

LDIF

dn: cn=Bruno Bonfils,ou=Fimasys,ou=Extranet,dc=solaris-fr,dc=org
objectClass: account
objectClass: person
objectClass: top
cn: Bruno Bonfils
host: brack
sn: Bonfils
uid: asyd

Description

So, what happens ?

  1. The SSLVerifyClient mean the user who want access to location /brack need to have a certificate signed by the CA (the one pointed by the directive SSLCACertificatePath or SSLCACertificateFile). The SSLVerifyDepth is the number of subCA allowed.
  2. If the user have such certificate, the mod_ssl provides some variables (full list available here).
  3. Then, the module which query the LDAP, in my config I use the Common Name filtering plus the host attribut, which allow me to add/remove authorization for a particular vhost/location in a very easy way (for sure, host attribute can be multivalued). The XLDAPAuthRemoteUserAttr tell the module to use uid to fill the REMOTE_USER HTTP variable.