Ssl – How to configure apache to accept a client ssl certificate (if present) or authenticate using ldap (if the cert is absent)

configurationhttpdssl

I have an Apache server that serves up mercurial repositories and it currently authenticates using ldap credentials.

I want to permit a single user (to start with) to use a SSL client certificate, with all remaining users still able to use the ldap credentials authentication method.

I have looked through Stack Overflow and other wider (google) searches but can not find information/guidance on how to set this up.

The following vhost config only allow the client cert through. I comment out the three statemens related to SSL-client; ladp will work.

<VirtualHost hg.mydomain.com:80>

    ServerName hg.mydomain.com:80
    RedirectMatch permanent ^(.*)$ https://hg.mydomain.com$1

</VirtualHost>

<VirtualHost hg.mydomain.com:443>

        ServerName hg.mydomain.com:443
        # ServerAdmin webmaster@yourdomain.com
        DocumentRoot "/var/hg"
        CustomLog /var/log/httpd/hg-access.log combined
        ErrorLog /var/log/httpd/hg-error.log

        ScriptAliasMatch        ^/(.*)        /var/hg/hgweb.cgi$1
  # SSL Stuff...
        SSLEngine on
        SSLCipherSuite AES+HIGH:3DES+HIGH:RC4:!MD5:!EXPORT:!SSLv2:!aNULL:!eNULL:!KRB5

        # Server Certificate:
        SSLCertificateFile ssl/hg.mydomain.com.crt
        # Server Private Key:
        SSLCertificateKeyFile ssl/hg.mydomain.com.key
        # SSL Protocol Adjustments:
        BrowserMatch ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0

  <Directory /var/hg>
    Options ExecCGI FollowSymlinks
    AddHandler cgi-script .cgi

    AllowOverride AuthConfig
         Order deny,allow
        Allow from all

    #SSL-Client Statements
         SSLVerifyClient optional
         SSLVerifyDepth  1
         SSLRequire   %{SSL_CLIENT_S_DN_CN}  eq "robotuser"

     AuthName "Developers"
         AuthBasicProvider ldap
         # AuthLDAPEnabled On
         AuthLDAPUrl ldaps://ldap.applied.sec/dc=applied,dc=sec?uid
        AuthzLDAPAuthoritative On
        Require valid-user
  </Directory>

    # Taken from http://www.pmwiki.org/wiki/Cookbook/CleanUrls#samedir
    # Used at http://ggap.sf.net/hg/
    RewriteEngine On
    #write base depending on where the base url lives
    #RewriteBase /hg
    RewriteRule ^$ hgweb.cgi  [L]
    # Send requests for files that exist to those files.
    RewriteCond %{REQUEST_FILENAME} !-f
    # Send requests for directories that exist to those directories.
    RewriteCond %{REQUEST_FILENAME} !-d
    # Send requests to hgweb.cgi, appending the rest of url.
    RewriteRule (.*) /hgweb.cgi/$1  [QSA,L]

    Include repos.d/repos.*.conf

It seems like I need to somehow create an alias for the directory block and then apply logic to check for the presence/absence of the client certificate. I do not know how to do that.

If there are other ways to accimplish this. I would love the hear about it.

Best Answer

This is somewhat of a guess (I don't have any easy way to try this) but perhaps some combination of SSLOptions +FakeBasicAuth and Satisfy Any will see you through?

Related Topic