On Jan 11, 2009, at 10:07 AM, Emmanuel Dreyfus wrote:
Hello
I am not sure this is the right place for that question, but I cannot figure a better one. Please point me to the right place if there is a better one than here.
[[from openldap-software]]
I know how to use x509 certificate to authenticate a client against OpenLDAP. It works great with ldap{search|add|modify|delete| whatever}.`
Now I would like to do the same with the client being a web browser and with a web application between the browser and slapd:
browser (client cert) --> apache (PHP web application) --> slapd
Client certificate authentication from the browser to apache is strightforward.
Yes, so why complicate it?
Therefore I can easily have the client authenticating to the web application, and the web application operating on the directory on behalf on the client (the web app should bind to the directory as a privilegied user that would have authzTo: *)
The web application should just authenticate as itself and then use proxy authorization to act on behalf of the client. Of course, it has to be authorized to do so.
But it would be nicer to actually have the client authenticate to slapd using its own client certificate.
Why? Generally, the web application is part of the service which encompasses the web server and directory service. They should already have an appropriate trust relationship.
That is, having the web application behaving as a kind of proxy, without any special privilege on the directory. Is that possible? If it is, where should I start?
Would require cooperation between the web server and the directory server. So nothing gained, IMO, except complexity.
-- Emmanuel Dreyfus http://hcpnet.free.fr/pubz manu@netbsd.org