Emmanuel Dreyfus wrote:
There is no way for a web app, (for instance written in PHP) to perform an SSL handshake with the browser. Apache does it, all it can do is to hand the client credentials to the web app, which executes after the SSL handshake took place.
Yes. However in theory the web app could run within a custom HTTP server and intercept the SSL/TLS handshake.
I see a solution, though. When doing HTTP authentication using LDAP, Apache performs a ldap_bind using credentials given by the client.
Are you talking about HTTP basic authentication. Yes, then the web server gets the clear-text password and the web app can access it too.
For now the LDAP handle obtained from ldap_bind is just forgotten. Apache could keep it and make it available to other modules (like mod_php) for them to perform LDAP operations on behalf of the client.
With HTTP basic authc you can get the clear-text password from env var REMOTE_PASSWORD. But you will not gain anything and it's better to implement form based password input since the browser caches the HTTP basic authc credentials.
That would require 3 modifications
- implement x509 certificate authentication in Apache runtime library
(it only does ldap_bind_s using login/password for now) 2) save the LDAP handle somewhere 3) add a ldap_bind_preauth() function in mod_php so that PHP code can get the LDAP handle
I don't fully understand your approach. How is the LDAP bind supposed to work end-to-end with your approach?
Ciao, Michael.