Kurt Zeilenga Kurt@OpenLDAP.org wrote:
I leave this as an exercise to someone who strong knowledge of TLS and its certificate-based authentication. I'm only saying it that it's likely possible, at least, in theory.
I thought a bit about it, here is my conclusions. Please tell me if I am wrong.
There is no way for a web app, (for instance written in PHP) to perform an SSL handshake with the browser. Apache does it, all it can do is to hand the client credentials to the web app, which executes after the SSL handshake took place.
I see a solution, though. When doing HTTP authentication using LDAP, Apache performs a ldap_bind using credentials given by the client. For now the LDAP handle obtained from ldap_bind is just forgotten. Apache could keep it and make it available to other modules (like mod_php) for them to perform LDAP operations on behalf of the client.
That would require 3 modifications 1) implement x509 certificate authentication in Apache runtime library (it only does ldap_bind_s using login/password for now) 2) save the LDAP handle somewhere 3) add a ldap_bind_preauth() function in mod_php so that PHP code can get the LDAP handle
There is something not very clear in my mind about how the LDAP handle can be sent from Apache to mod_php. Everything happens in the same process, so I guess an environement variable containing the address of the LDAP handle would do the trick, but is that reasonable?
Opinions? Is that plan pure science fiction, or is there something to experiment here?