How to configure x509 Authentication with an LDAP Server using Apache (httpd)?

Solution Unverified - Updated 6 Aug 2024

Environment

JBoss Enterprise Web Server
Apache (httpd)
Red Hat Directory Server

Issue

I would like to configure Apache to only serve web pages to users who present an x509 certificate, and who are with in my LDAP users list.

Resolution

Set up the provided configuration in /etc/httpd/conf.d/ssl.conf
- see attached apache_ssl_ldap_conf.txt file this is an example ssl.conf file.
Most critical is the following Directory tag.

    <Directory "/var/www/secure/">
        AllowOverride none
        Order allow,deny
        Allow from all
        Options +Indexes
        SSLRequireSSL
        AuthType Basic
        AuthName "My LDAP Server"
        AuthBasicAuthoritative off
        AuthBasicProvider ldap
        AuthzLDAPAuthoritative off
        Require valid-user
        AuthLDAPUrl "ldap://localhost:389/ou=people,dc=test?cn?sub"
        AuthLDAPRemoteUserAttribute cn
   </Directory>

Root Cause

It is possible to configure Apache (httpd) to only serve web pages to user who present an x509 certificate and who reside as users within LDAP.

In order to accomplish this you will be required to place the DN of the x509 certificate (Subject) in to the LDAP server as the users CN (conical name). Keep in mind that Red Hat Directory server allows you to have multiple values for a persons CN (conical name).

Similarly that user will have to have 'password' or 'xxj31ZMTZzkVA' the MD5 Digest equivalent as a password attribute to there user.

Pulled from ssl.conf and Content from httpd.apache.org is not included.mod_ssl documentation.

    #   SSL Engine Options:
    #   Set various options for the SSL engine.
    #   o FakeBasicAuth:
    #     Translate the client X.509 into a Basic Authorisation.  This means that
    #     the standard Auth/DBMAuth methods can be used for access control.  The
    #     user name is the `one line' version of the client's X.509 certificate.
    #     Note that no password is obtained from the user. Every entry in the user
    #     file needs this password: `xxj31ZMTZzkVA'.

With out these two pieces of information in the LDAP the user will be prompted for there user name and password (LDAP) to authenticate with the web server every time they access the web server.

This is a requirement because the mod_ssl's FakeBasicAuth directive uses information from the certificate with a predefined password ([password | xxj31ZMTZzkVA]) to bind that user to LDAP, preforming the authentication. see above.
- NOTE: because the mod_ssl FAkeBasicAuth directive is used with LDAP, LDAP will attempt to bind what ever user credentials are passed to it. If this Bind fails or the information is incorrect a user will see a pop-up for a user name and password.

Diagnostic Steps

Logs to check
- /var/log/dirsrv//access
- /var/log/httpd/*
Thinks to look for
- What it the ldap searching / binding on.
```
  [17/Jul/2012:09:30:36 -0400] conn=16 op=1 SRCH base="ou=people,dc=test" scope=2 filter="(&(objectClass=*)(cn=/C=US/ST=North Carolina/O=Red Hat Inc./OU=Global Support Services/CN=Eric Rich))" attrs="cn"
```
  - Note the 'cn=' is the search string and that cn was chosen by the AuthLDAPRemoteUserAttribute directive. This should match the certificates DN or subject line. This means that it must be a cn attribute for that user in LDAP.
  - mod_ssl FakeBasicAuth documentation explains how this is pulled from the certificate with openssl.
- Is the bind successful ?
  - If the bind is not successful, check to see if the AuthLDAPBindDN, user can bind / is binding. If so it is likely that the user you are binding as (pulled from certificate) does not have 'password' or 'xxj31ZMTZzkVA' as a password attribute in LDAP. FakeBasicAuth requires that the use have this in order to bind or authenticate.
  - Note you only need 'xxj31ZMTZzkVA' if the 'AuthType' is 'Digest'
Wanted Result from the LDAP Server Logs (/var/log/dirsrv//access)

[17/Jul/2012:09:30:17 -0400] conn=15 op=8 MOD dn="uid=ERich,ou=People,dc=test"
[17/Jul/2012:09:30:17 -0400] conn=15 op=8 RESULT err=0 tag=103 nentries=0 etime=0
[17/Jul/2012:09:30:17 -0400] conn=15 op=9 SRCH base="uid=ERich,ou=People,dc=test" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs=ALL
[17/Jul/2012:09:30:17 -0400] conn=15 op=9 RESULT err=0 tag=101 nentries=1 etime=0
[17/Jul/2012:09:30:18 -0400] conn=15 op=10 SRCH base="uid=ERich,ou=People,dc=test" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs=ALL
[17/Jul/2012:09:30:18 -0400] conn=15 op=10 RESULT err=0 tag=101 nentries=1 etime=0
[17/Jul/2012:09:30:18 -0400] conn=14 op=35 SRCH base="uid=ERich,ou=People,dc=test" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="objectClass numSubordinates ref aci"
[17/Jul/2012:09:30:18 -0400] conn=14 op=35 RESULT err=0 tag=101 nentries=1 etime=0
[17/Jul/2012:09:30:18 -0400] conn=14 op=36 SRCH base="ou=People,dc=test" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="objectClass numSubordinates ref aci"
[17/Jul/2012:09:30:18 -0400] conn=14 op=36 RESULT err=0 tag=101 nentries=1 etime=0
[17/Jul/2012:09:30:18 -0400] conn=14 op=37 SRCH base="ou=People,dc=test" scope=1 filter="(|(&(numSubordinates=*)(numSubordinates>=1)(|(objectClass=*)(objectClass=ldapsubentry)))(objectClass=organization)(objectClass=organizationalUnit)(objectClass=netscapeServer)(objectClass=netscapeResource)(objectClass=domain))" attrs="distinguishedName"
[17/Jul/2012:09:30:18 -0400] conn=14 op=37 RESULT err=0 tag=101 nentries=0 etime=0 notes=U
[17/Jul/2012:09:30:36 -0400] conn=16 fd=68 slot=68 connection from ::1 to ::1
[17/Jul/2012:09:30:36 -0400] conn=16 op=0 BIND dn="" method=128 version=3
[17/Jul/2012:09:30:36 -0400] conn=16 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn=""
[17/Jul/2012:09:30:36 -0400] conn=16 op=1 SRCH base="ou=people,dc=test" scope=2 filter="(&(objectClass=*)(cn=/C=US/ST=North Carolina/O=Red Hat Inc./OU=Global Support Services/CN=Eric Rich))" attrs="cn"
[17/Jul/2012:09:30:36 -0400] conn=16 op=1 RESULT err=0 tag=101 nentries=1 etime=0 notes=U
[17/Jul/2012:09:30:36 -0400] conn=16 op=2 BIND dn="uid=ERich,ou=People,dc=test" method=128 version=3
[17/Jul/2012:09:30:36 -0400] conn=16 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=erich,ou=people,dc=test"

SBR

Product(s)

Components

httpd

Category

Secure

Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.