certificate authentication & alternate authentication & REMOTE_USER variable

certificate authentication & alternate authentication & REMOTE_USER variable

am 14.02.2003 13:24:43 von Sophia Petridou

This is a cryptographically signed message in MIME format.

--------------ms8679801014D6A9FDDB2186E5
Content-Type: multipart/alternative;
boundary="------------A722A0432D9E9DD5DCCA47F3"


--------------A722A0432D9E9DD5DCCA47F3
Content-Type: text/plain; charset=iso-8859-7
Content-Transfer-Encoding: 7bit

Hi all,

SERVER: Apache 1.3.27 + mod_ssl/2.8.12
My problem:
I want to authenticate clients of my domain based on certificates
and obtain my users' usenames. I try using the two methods mentioned
in http://www.modssl.org/docs/2.8/ssl_howto.html#ToC9
but they don't seem to be completely equivalent.
Specifically, when I try without SSLRequire and Load an authentication
module such as mod_auth_ldap or mod_auth_mysql (in order to offer
an alternate authentication schema - Satisfy any), in the browser,
a dialog window appears asking for Username/Password just after the
window for chosing the certificate.

This window (asking for username/password) does not appear
1. when I use SSLRequire directive and load other modules (but
REMOTE_USER variable is empty) and
2. when I use AuthUserFile directive and don't load the modules (but I
can't offer alternate authentication)

Apache configuration
------------------------

#LoadModule ldap_auth_module libexec/mod_auth_ldap.so

SSLCACertificatePath /etc/apache/conf/ssl.crt
SSLCACertificateFile /etc/apache/conf/ssl.crt/ca-bundle.crt
SSLVerifyClient 0


AllowOverride None
Options None
Order deny,allow
Deny from all
Allow from localnetwork

SSLVerifyClient require
SSLVerifyDepth 2
SSLOptions +FakeBasicAuth +StdEnvVars
SSLRequireSSL
#SSLRequire %{SSL_CLIENT_S_DN_O} eq "My Organization" and \
# %{SSL_CLIENT_S_DN_OU} eq "My Departement"

AuthName "Certificate Authentication"
AuthType Basic
AuthUserFile /path/to/httpd.passwd
require valid-user

#Satisfy any
#AuthType Basic
#AuthName "LDAP Authentication"
#LDAP_Server MyLdapServer
#LDAP_Port 389
#Base_DN "o=MyOrganization,c=GR"
#UID_Attr uid
#require valid-user


thanks in advance
-sophia

--------------A722A0432D9E9DD5DCCA47F3
Content-Type: text/html; charset=iso-8859-7
Content-Transfer-Encoding: 7bit



Hi all,

SERVER: Apache 1.3.27 + mod_ssl/2.8.12

My problem:

I want to authenticate clients of my domain based on certificates

and obtain my users' usenames. I try using the two methods mentioned

in

but they don't seem to be completely equivalent.

Specifically, when I try without SSLRequire and Load an authentication

module such as mod_auth_ldap or mod_auth_mysql (in order to offer

an alternate authentication schema - Satisfy any), in the browser,

a dialog window appears asking for Username/Password just after the

window for chosing the certificate.

This window (asking for username/password) does not appear

1. when I use SSLRequire directive and load other modules (but REMOTE_USER
variable is empty) and

2. when I use AuthUserFile directive and don't load the modules (but
I can't offer  alternate authentication)

Apache configuration

------------------------

#LoadModule ldap_auth_module   libexec/mod_auth_ldap.so

SSLCACertificatePath /etc/apache/conf/ssl.crt

SSLCACertificateFile /etc/apache/conf/ssl.crt/ca-bundle.crt

SSLVerifyClient 0

<Directory "/apache/secure/area">

    AllowOverride None

    Options None

    Order deny,allow

    Deny from all

    Allow from localnetwork

    SSLVerifyClient require

    SSLVerifyDepth  2

    SSLOptions      +FakeBasicAuth
+StdEnvVars

    SSLRequireSSL

    #SSLRequire      %{SSL_CLIENT_S_DN_O} 
eq "My Organization" and \

    #                      
%{SSL_CLIENT_S_DN_OU} eq "My Departement"

    AuthName           
"Certificate Authentication"

    AuthType            
Basic

    AuthUserFile        
/path/to/httpd.passwd

    require                
valid-user

    #Satisfy any

    #AuthType Basic

    #AuthName "LDAP Authentication"

    #LDAP_Server MyLdapServer

    #LDAP_Port 389

    #Base_DN "o=MyOrganization,c=GR"

    #UID_Attr uid

    #require valid-user

</Directory>

thanks in advance

-sophia

--------------A722A0432D9E9DD5DCCA47F3--

--------------ms8679801014D6A9FDDB2186E5
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIIPEgYJKoZIhvcNAQcCoIIPAzCCDv8CAQExCzAJBgUrDgMCGgUAMAsGCSqG SIb3DQEHAaCC
DK0wggYbMIIFA6ADAgECAgUBAAAADTANBgkqhkiG9w0BAQQFADCByDELMAkG A1UEBhMCR1Ix
LTArBgNVBAoTJEFyaXN0b3RsZSBVbml2ZXJzaXR5IG9mIFRoZXNzYWxvbmlr aTEpMCcGA1UE
CxMgQ2VudHJhbCBDb21tdW5pY2F0aW9uIEZhY2lsaXRpZXMxNDAyBgNVBAMT K0FVVEggTm9j
IFVzZXJzIENlcnRpZmljYXRpb24gQXV0aG9yaXR5IDIwMDMxKTAnBgkqhkiG 9w0BCQEWGm5v
Y3VzZXJzY2EyMDAzQGNjZi5hdXRoLmdyMB4XDTAzMDEyMjAwMDAwMFoXDTA0 MDEyMTIzNTk1
OVowgaYxCzAJBgNVBAYTAkdSMS0wKwYDVQQKEyRBcmlzdG90bGUgVW5pdmVy c2l0eSBvZiBU
aGVzc2Fsb25pa2kxKTAnBgNVBAsTIENlbnRyYWwgQ29tbXVuaWNhdGlvbiBG YWNpbGl0aWVz
MRgwFgYDVQQDEw9Tb3BoaWEgUGV0cmlkb3UxIzAhBgkqhkiG9w0BCQEWFHNw ZXRyaWRvQGNj
Zi5hdXRoLmdyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC2NedY3VwK oMWWtG5toO40
O2o9vrw1r4upJr4aL0EH9+vE8+BIgCROggO+Lw5fLUomoQW3qnnJFrT4mz9L u7R8jjxx1VLi
B2rfX3x7DIN1a5hDTXNNrMGOnQDCwnCPhKpyarpO9CsNK59Ttdu/sy0ByUGp lkmbCDi+AaQo
GT4RvwIDAQABo4ICrjCCAqowDAYDVR0TAQH/BAIwADARBglghkgBhvhCAQEE BAMCBaAwDgYD
VR0PAQH/BAQDAgXgMB0GA1UdDgQWBBTliUZt1gz0A6fBRNoPvLJgR6B9mDCB xAYDVR0jBIG8
MIG5gBTCkOKB+mQJxDKdYGzsJA/aHg95OaGBmaSBljCBkzELMAkGA1UEBhMC R1IxLTArBgNV
BAoTJEFyaXN0b3RsZSBVbml2ZXJzaXR5IG9mIFRoZXNzYWxvbmlraTEpMCcG A1UECxMgQ2Vu
dHJhbCBDb21tdW5pY2F0aW9uIEZhY2lsaXRpZXMxKjAoBgNVBAMTIVJvb3Qg Q2VydGlmaWNh
dGlvbiBBdXRob3JpdHkgMjAwMYIFAQAAAAcwHwYDVR0RBBgwFoEUc3BldHJp ZG9AY2NmLmF1
dGguZ3IwJQYDVR0SBB4wHIEabm9jdXNlcnNjYTIwMDNAY2NmLmF1dGguZ3Iw QQYDVR0fBDow
ODA2oDSgMoYwaHR0cDovL3d3dy5hdXRoLmdyL0NBL25vY3VzZXJzMjAwMy9j cmx2MS5kZXIu
Y3JsMIIBBAYDVR0gBIH8MIH5MIH2BgsrBgEEAbwdAgIBATCB5jAsBggrBgEF BQcCARYgaHR0
cDovL3d3dy5hdXRoLmdyL0NBL0NQU3YxLmh0bWwwgbUGCCsGAQUFBwICMIGo MDQWLUFyaXN0
b3RsZSBVbml2ZXJzaXR5IE5ldHdvcmsgT3BlcmF0aW9uIENlbnRlcjADAgEB GnBUaGlzIGNl
cnRpZmljYXRlIGlzIHN1YmplY3QgdG8gR3JlZWsgbGF3cyBhbmQgb3VyIENQ Uy4gVGhpcyBD
ZXJ0aWZpY2F0ZSBtdXN0IG9ubHkgYmUgdXNlZCBmb3IgYWNhZGVtaWMgcHVy cG9zZXMuMA0G
CSqGSIb3DQEBBAUAA4IBAQAPTSmZWYZD79UmL43CAdhG9PhB0J33lY41i+Xj SsVRSTkyS7ei
YvEgifiogF5CNjzmqboRbWauEtXLvtB/BWY4oDyXjcM5PQw7IhAgqRQeGT5n HYHlfr6jNChS
n21JKJwP+9H4a9BIdHRq1Oqnmst7AI4D/IsyxpANrINTNp196lTbYmaedxCy k0uuSHu9Q1gl
DCrSr510WVAwi6GldbwYwFnTGAZjiUL7I1yYNWuU1OVFsZqbQEWWoXKIPMH8 W7LS/17UW00+
YtihMp075xtipxnrKfSvsiVMMI2ecXpWcxzoj/oILeVhMYjC7GvQd4aFpKj6 nnIsQOAme8Fi
P0wrMIIGijCCBXKgAwIBAgIFAQAAAAcwDQYJKoZIhvcNAQEEBQAwgZMxCzAJ BgNVBAYTAkdS
MS0wKwYDVQQKEyRBcmlzdG90bGUgVW5pdmVyc2l0eSBvZiBUaGVzc2Fsb25p a2kxKTAnBgNV
BAsTIENlbnRyYWwgQ29tbXVuaWNhdGlvbiBGYWNpbGl0aWVzMSowKAYDVQQD EyFSb290IENl
cnRpZmljYXRpb24gQXV0aG9yaXR5IDIwMDEwHhcNMDMwMTE3MTMzMDA2WhcN MDUwMTE2MTMz
MDA2WjCByDELMAkGA1UEBhMCR1IxLTArBgNVBAoTJEFyaXN0b3RsZSBVbml2 ZXJzaXR5IG9m
IFRoZXNzYWxvbmlraTEpMCcGA1UECxMgQ2VudHJhbCBDb21tdW5pY2F0aW9u IEZhY2lsaXRp
ZXMxNDAyBgNVBAMTK0FVVEggTm9jIFVzZXJzIENlcnRpZmljYXRpb24gQXV0 aG9yaXR5IDIw
MDMxKTAnBgkqhkiG9w0BCQEWGm5vY3VzZXJzY2EyMDAzQGNjZi5hdXRoLmdy MIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAn66s2lErvnV9LCcBkrnk+SHe9lGD XGXQMgnmg5Ys
1UugC2UEdN2EBb16gcLGnhqDvKf8IEbIfVp4kTClGON4g2Dumkfqged07sOT pPhMdATbcZ+6
PSAnltpX1xs7OA5wvBvJJHRhguSdCYFsC3fipWzmgvgmBQOZybyp/maQtGoc OT8jmnStPQAR
KZPO05WHVNY94xb7tUrQxT0Or2HmQD1aRUc+1PnRIkXBOprD5KoZ432bCb9u bdzaCH+j9fb7
kYTHSKYr2U2T3zTFBGZwtfz8TqZ+n7HpRInOwCdITMxb79bzYbj90Xvdqq3r 3LsBvDAYLbnE
kCCMbAFZWgf3/wIDAQABo4ICrDCCAqgwEgYDVR0TAQH/BAgwBgEB/wIBADAL BgNVHQ8EBAMC
AQYwEQYJYIZIAYb4QgEBBAQDAgAHMB0GA1UdDgQWBBTCkOKB+mQJxDKdYGzs JA/aHg95OTCB
wAYDVR0jBIG4MIG1gBQz5TBgiVRronFpRSFqG2cC+TNJ4KGBmaSBljCBkzEL MAkGA1UEBhMC
R1IxLTArBgNVBAoTJEFyaXN0b3RsZSBVbml2ZXJzaXR5IG9mIFRoZXNzYWxv bmlraTEpMCcG
A1UECxMgQ2VudHJhbCBDb21tdW5pY2F0aW9uIEZhY2lsaXRpZXMxKjAoBgNV BAMTIVJvb3Qg
Q2VydGlmaWNhdGlvbiBBdXRob3JpdHkgMjAwMYIBADAlBgNVHREEHjAcgRpu b2N1c2Vyc2Nh
MjAwM0BjY2YuYXV0aC5ncjAhBgNVHRIEGjAYgRZyb290Y2EyMDAxQGNjZi5h dXRoLmdyMD0G
A1UdHwQ2MDQwMqAwoC6GLGh0dHA6Ly93d3cuYXV0aC5nci9DQS9yb290MjAw MS9jcmx2MS5k
ZXIuY3JsMIIBBQYDVR0gBIH9MIH6MIH3BgwrBgEEAbwdAgEBAQEwgeYwLAYI KwYBBQUHAgEW
IGh0dHA6Ly93d3cuYXV0aC5nci9DQS9DUFN2MS5odG1sMIG1BggrBgEFBQcC AjCBqDA0Fi1B
cmlzdG90bGUgVW5pdmVyc2l0eSBOZXR3b3JrIE9wZXJhdGlvbiBDZW50ZXIw AwIBARpwVGhp
cyBjZXJ0aWZpY2F0ZSBpcyBzdWJqZWN0IHRvIEdyZWVrIGxhd3MgYW5kIG91 ciBDUFMuIFRo
aXMgQ2VydGlmaWNhdGUgbXVzdCBvbmx5IGJlIHVzZWQgZm9yIGFjYWRlbWlj IHB1cnBvc2Vz
LjANBgkqhkiG9w0BAQQFAAOCAQEAMVIuv6l/Uaz6xrXH6YVBWK5+ss6PfCJ8 uQVGDrXXpt5A
+teipdONMeq9ApuY5cM78jcqJI/X5bq72AT/M0v/LU+MqwBTudWzykUO5Mu5 4gcsQuutMsiu
+5CcmTrbQr58C+BaIez2FUdTgewMbS7WsnG3BS28EhtSvKs8d7EVyRJkj+rb NCzcTi1qq/1T
A3APGnK2wVqjyS3l4JbhTSJN3RUTXH9OTr+lx7aHvX51YAnaMVGJprN/fsvl 0+tP14Bx10Cr
HduRoqeCQfXe60KTWnf6p86+DNocGCVxlq7aUafeXj7U8xoqSL7/5Phj/XZW CTHqYKPKSRLQ
Jj7Z54DEcTGCAi0wggIpAgEBMIHSMIHIMQswCQYDVQQGEwJHUjEtMCsGA1UE ChMkQXJpc3Rv
dGxlIFVuaXZlcnNpdHkgb2YgVGhlc3NhbG9uaWtpMSkwJwYDVQQLEyBDZW50 cmFsIENvbW11
bmljYXRpb24gRmFjaWxpdGllczE0MDIGA1UEAxMrQVVUSCBOb2MgVXNlcnMg Q2VydGlmaWNh
dGlvbiBBdXRob3JpdHkgMjAwMzEpMCcGCSqGSIb3DQEJARYabm9jdXNlcnNj YTIwMDNAY2Nm
LmF1dGguZ3ICBQEAAAANMAkGBSsOAwIaBQCggbEwGAYJKoZIhvcNAQkDMQsG CSqGSIb3DQEH
ATAcBgkqhkiG9w0BCQUxDxcNMDMwMjE0MTIyNDQzWjAjBgkqhkiG9w0BCQQx FgQU2ayRVuxT
HiiIfJe6CWYyXNcDSwwwUgYJKoZIhvcNAQkPMUUwQzAKBggqhkiG9w0DBzAO BggqhkiG9w0D
AgICAIAwBwYFKw4DAgcwDQYIKoZIhvcNAwICAUAwDQYIKoZIhvcNAwICASgw DQYJKoZIhvcN
AQEBBQAEgYCDyu/khX6vnRNdt/zeFxmAZZyq7Y/dKGuyuHiRCnlpddooXYa4 49x2mqsiJRKL
8EBChav3rIW7clPqmwvzM7h3KloJupqSX8e/eml1VKNvrYHqXSG9tDAuMtoA UfixDoqmKs95
0aw3YmE/LjCwb4qAFIBeBiiJRswK62hLwPtjuw==
--------------ms8679801014D6A9FDDB2186E5--

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org