Re: web apps and client certificate authentication

[manu@netbsd.org (Emmanuel Dreyfus)]

Kurt Zeilenga <Kurt@OpenLDAP.org> wrote:

> I leave this as an exercise to someone who strong knowledge of TLS and
> its certificate-based authentication.  I'm only saying it that it's  
> likely possible, at least, in theory.  

I thought a bit about it, here is my conclusions. Please tell me if I am
wrong.

There is no way for a web app, (for instance written in PHP) to perform
an SSL handshake with the browser. Apache does it, all it can do is to
hand the client credentials to the web app, which executes after the SSL
handshake took place.

I see a solution, though. When doing HTTP authentication using LDAP,
Apache performs a ldap_bind using credentials given by the client. For
now the LDAP handle obtained from ldap_bind is just forgotten. Apache
could keep it and make it available to other modules (like mod_php) for
them to perform LDAP operations on behalf of the client.

That would require 3 modifications
1) implement x509 certificate authentication in Apache runtime library
(it only does ldap_bind_s using login/password for now)
2) save the LDAP handle somewhere
3) add a ldap_bind_preauth() function in mod_php so that PHP code can
get the LDAP handle

There is something not very clear in my mind about how the LDAP handle
can be sent from Apache to mod_php. Everything happens in the same
process, so I guess an environement variable containing the address of
the LDAP handle would do the trick, but is that reasonable?

Opinions? Is that plan pure science fiction, or is there something to
experiment here?

-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@netbsd.org