Hello
I am not sure this is the right place for that question, but I cannot figure a better one. Please point me to the right place if there is a better one than here.
I know how to use x509 certificate to authenticate a client against OpenLDAP. It works great with ldap{search|add|modify|delete|whatever}.`
Now I would like to do the same with the client being a web browser and with a web application between the browser and slapd:
browser (client cert) --> apache (PHP web application) --> slapd
Client certificate authentication from the browser to apache is strightforward. Authenticating a PHP web application to the OpenLDAP directory using a client certificate is a bit trickier, but I see the way it should be done (ldap_sasl_bind is my friend).
Therefore I can easily have the client authenticating to the web application, and the web application operating on the directory on behalf on the client (the web app should bind to the directory as a privilegied user that would have authzTo: *)
But it would be nicer to actually have the client authenticate to slapd using its own client certificate. That is, having the web application behaving as a kind of proxy, without any special privilege on the directory. Is that possible? If it is, where should I start?