Certificates *or* host-based authorization
am 12.09.2002 22:31:56 von Garrett Wollman
Can anyone explain to me why the following doesn't work:
satisfy any
#
# 500 error and nothing in the error log unless AuthType
# is also set -- even through we're not using that sort of
# authentication.
#
AuthType basic
order deny,allow
deny from all
# allow from a bunch of addresses
SSLRequire %{SSL_CLIENT_I_DN_O} eq "MIT Laboratory for Computer Science"
#SSLOptions +FakeBasicAuth
There is an SSLRequireSSL in the SSL vhost section of the main config
file, but the results seem to be the same both with and without. The
version I am using is apache+mod_ssl-1.3.26+2.8.10 with system OpenSSL
0.9.6e.
In case it's not obvious, this is intended to allow anyone with a
certificate issued by our CA (when using SSL) or certain local
addresses (when not using SSL). FakeBasicAuth is not useful to us in
this situation as the whole purpose of doing the certificate thing is
to avoid us having to distinguish or keep track of individual users.
-GAWollman
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org
Re: Certificates *or* host-based authorization
am 13.09.2002 16:26:34 von Ron Gedye
I have authentication setup based on certificates using 1.3.26, mod_ssl
2.8.10 & Openssl 0.9.7-beta2 without a problem (other than the loss of
hair while initial figuring it out.)
But even with my statements below I cannot get the auth to override the
cert based auth and allow by IP like my statements are designed to do.
Any insight would be helpful.
Alias /private "/home/httpd/private"
SSLVerifyClient require
SSLVerifyDepth 10
SSLOptions +FakeBasicAuth +StrictRequire
SSLVerifyClient require
SSLVerifyDepth 10
SSLOptions +FakeBasicAuth +StrictRequire
SSLRequire ( \
%{REMOTE_ADDR} =~ m/^xxx\.xxx\.xxx\.xxx/ or \
%{REMOTE_ADDR} =~ m/^xxx\.xxx\.xxx\.xxx/ or \
%{REMOTE_ADDR} =~ m/^xxx\.xxx\.xxx\.xxx/ ) \
or \
( %{SSL_CLIENT_S_DN_O} eq "MyOrg" and \
%{SSL_CLIENT_S_DN_OU} in {"AuthOU1", "AuthOU2"}\
or \
%{SSL_CLIENT_S_DN_O} eq "MyOrg" and \
%{SSL_CLIENT_S_DN_CN} eq "AdminName" )
Garrett Wollman wrote:
> Can anyone explain to me why the following doesn't work:
>
> satisfy any
> #
> # 500 error and nothing in the error log unless AuthType
> # is also set -- even through we're not using that sort of
> # authentication.
> #
> AuthType basic
>
> order deny,allow
> deny from all
> # allow from a bunch of addresses
>
>
> SSLRequire %{SSL_CLIENT_I_DN_O} eq "MIT Laboratory for Computer Science"
> #SSLOptions +FakeBasicAuth
>
>
> There is an SSLRequireSSL in the SSL vhost section of the main config
> file, but the results seem to be the same both with and without. The
> version I am using is apache+mod_ssl-1.3.26+2.8.10 with system OpenSSL
> 0.9.6e.
>
>
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org