对于Apache,我正在尝试使用客户端证书对用户进行身份验证,并使用LDAP组对其进行授权。到目前为止,我有这个:
# Apache 2.4.6
LoadModule ssl_module modules/mod_ssl.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
Listen 9999
<VirtualHost *:9999>
ServerName example
SSLEngine on
SSLCertificateFile /etc/ssl/certs/server.crt
SSLCertificateKeyFile /etc/ssl/certs/server.key
SSLCACertificateFile /etc/ssl/certs/ca.crt
SSLVerifyClient require
SSLVerifyDepth 1
SSLOptions +FakeBasicAuth
<Location /test/>
# SSLUserName SSL_CLIENT_S_DN_CN
# AuthBasicFake "%{SSL_CLIENT_S_DN_CN}"
AuthType basic
AuthName "Cert"
AuthBasicProvider ldap
AuthLDAPURL "ldap://localhost/dc=example?uid"
AuthLDAPBindDN "cn=admin,dc=example"
AuthLDAPBindPassword "test123"
AuthLDAPGroupAttribute uniqueMember
Require ldap-group cn=admin,ou=groups,dc=example
</Location>
</VirtualHost>
它在大多数情况下都有效,但是用户名最终以/C=XX/L=Default City/O=Default Company Ltd/CN=testuser(即X.509主题字段的完整DN)结尾,而我希望它只是testuser(即CN SSL_CLIENT_S_DN_CN)。
我尝试使用AuthBasicFake指令,这似乎正是我所需要的,但是用户名字段始终为空。有什么建议吗?
答案 0 :(得分:1)
我将其用于以下配置。只有具有SSLCACertificateFile中的证书签名的密钥对的用户才能进行身份验证。在我的LDAP中,所有用户都属于cn=user,ou=groups,dc=example组,并且默认情况下可以访问整个站点。但是,有些用户也属于cn=admin,ou=groups,dc=example,这将使他们可以访问/admin-panel。
LoadModule ssl_module modules/mod_ssl.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
Listen 9999
<VirtualHost *:9999>
ServerName www.example.com
SSLEngine on
SSLCertificateFile /etc/ssl/certs/server.crt
SSLCertificateKeyFile /etc/ssl/certs/server.key
SSLCACertificateFile /etc/ssl/certs/ca.crt
SSLVerifyClient require
SSLVerifyDepth 1
SSLUserName SSL_CLIENT_S_DN_CN
<Location />
AuthType basic
AuthName "Cert"
AuthBasicProvider ldap
AuthLDAPURL "ldap://localhost/dc=example?uid"
AuthLDAPBindDN "cn=admin,dc=example"
AuthLDAPBindPassword "test123"
AuthLDAPGroupAttribute uniqueMember
Require ldap-group cn=user,ou=groups,dc=example
</Location>
<Location "/admin-panel">
Require ldap-group cn=admin,ou=groups,dc=example
</Location>
</VirtualHost>