[Date Prev][Date Next] [Chronological] [Thread] [Top]

web apps and client certificate authentication


I am not sure this is the right place for that question, but I cannot
figure a better one. Please point me to the right place if there is a
better one than here.

I know how to use x509 certificate to authenticate a client against
OpenLDAP. It works great with ldap{search|add|modify|delete|whatever}.`

Now I would like to do the same with the client being a web browser and
with a web application between the browser and slapd:

   browser (client cert) --> apache (PHP web application) --> slapd

Client certificate authentication from the browser to apache is
strightforward. Authenticating a PHP  web application to the OpenLDAP
directory using a client certificate is a bit trickier, but I see the
way it should be done (ldap_sasl_bind is my friend).

Therefore I can easily have the client authenticating to the web
application, and the web application operating on the directory on
behalf on the client (the web app should bind to the directory as a
privilegied user that would have authzTo: *)

But it would be nicer to actually have the client authenticate to slapd
using its own client certificate. That is, having the web application
behaving as a kind of proxy, without any special privilege on the
directory. Is that possible? If it is, where should I start? 

Emmanuel Dreyfus