Author: Müller Johannes Date: To: dev Subject: Re: Client authorization against LDAP using client certificates
Well, this would require quite big changes to all authentication modules, i guess.
I think, the better way would be to skip authentication completely in mod_auth_basic in case the user is set in the request object, because the user is already authenticated somehow through mod_ssl.
-----Ursprüngliche Nachricht-----
Von: Graham Leggett [mailto:minfrin@???]
Gesendet: Freitag, 4. Juli 2008 11:14
An: dev@???
Betreff: Re: Client authorization against LDAP using client certificates
Müller Johannes wrote:
> we want to use client authorization against LDAP using client certificates on Apache webserver 2.2.
> Unfortunately this is not possible with Apache webserver at the current state of development.
> There have been third party modules (ModXAuthLDAP, mod_authz_ldap) in the past which did this task quite well.
> But they haven't been updated for years and therefore do not work with httpd newer than 2.0.
> Therefore my company has put some effort in developing a reasonable solution for its needs.
I think the thing that is missing is that the FakeBasicAuth option
within mod_ssl should flag the request to say that a password isn't
necessary.
mod_authnz_ldap (and others) should then be taught to recognise this
flag within the request, and not test the password if this is the case.
