I’m trying to configure my Apache server for an HTTPS authentication with client certificates using LDAP as my users directory.
What I want to do is that Apache asks users to authenticate themselves with a certificate (so without a login/password) and then Apache has to check it in the LDAP : if the certificate provided by the user is valid then Apache will return “it works” otherwise it will return a 401 authorization required.
What I have done so far is : secure the connection between users and Apache and between Apache and LDAP. The user also provides his certificate to Apache when he tries to authenticate himself. My problem is that the user provides a certificate to Apache but Apache doesn’t check if the certificate provided by the user match with the one associated to the user in the LDAP directory.
Here is my configuration file :
< VirtualHost *:443>
SSLEngine on
SSLCertificateKeyFile "C:/Program Files (x86)/Apache Software Foundation/Apache2.2/conf/certs/apache.pem"
SSLCertificateFile "C:/Program Files (x86)/Apache Software Foundation/Apache2.2/conf/certs/apache.crt"
SSLCACertificateFile "C:/Program Files (x86)/Apache Software Foundation/Apache2.2/conf/certs/root.crt"
SSLCACertificatePath "C:/Program Files (x86)/Apache Software Foundation/Apache2.2/conf/certs/"
SSLProtocol all -SSLv3 -SSLv2
<Directory "C:/Program Files (x86)/Apache Software Foundation/Apache2.2/htdocs">
AuthType Basic
AuthName "Authorized Personnel Only"
AuthLDAPBindDN "cn=ldapadm,dc=ldap,dc=domain"
AuthLDAPBindPassword "password"
AuthBasicProvider ldap
AuthLDAPURL "ldap://ldap.com/ou=People,dc=ldap,dc=domain?cn" STARTTLS
AuthzLDAPAuthoritative off
Require valid-user
SSLUserName SSL_CLIENT_CERT_S_DN_CN
SSLRequire %{SSL_CLIENT_CERT_S_DN_CN} eq %{REMOTE_USER}
SSLVerifyDepth 10
SSLVerifyClient require
</Directory>
< /VirtualHost>
