[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: web apps and client certificate authentication

On Jan 11, 2009, at 10:07 AM, Emmanuel Dreyfus wrote:


I am not sure this is the right place for that question, but I cannot
figure a better one. Please point me to the right place if there is a
better one than here.

[[from openldap-software]]

I know how to use x509 certificate to authenticate a client against
OpenLDAP. It works great with ldap{search|add|modify|delete| whatever}.`

Now I would like to do the same with the client being a web browser and
with a web application between the browser and slapd:

  browser (client cert) --> apache (PHP web application) --> slapd

Client certificate authentication from the browser to apache is

Yes, so why complicate it?

Therefore I can easily have the client authenticating to the web
application, and the web application operating on the directory on
behalf on the client (the web app should bind to the directory as a
privilegied user that would have authzTo: *)

The web application should just authenticate as itself and then use proxy authorization to act on behalf of the client.
Of course, it has to be authorized to do so.

But it would be nicer to actually have the client authenticate to slapd
using its own client certificate.

Why? Generally, the web application is part of the service which encompasses the web server and directory service. They should already have an appropriate trust relationship.

That is, having the web application
behaving as a kind of proxy, without any special privilege on the
directory. Is that possible? If it is, where should I start?

Would require cooperation between the web server and the directory server. So nothing gained, IMO, except complexity.

Emmanuel Dreyfus