Introduction |
1. Compile and install the module using apxs (APache eXtenSion tool):
$ /path/to/apache/bin/apxs -c -i mod_auth_cert.cIf apxs complains about missing OpenSSL headers, add the path to the headers using apxs'es -I option
2. Instruct apache to load the module by adding
LoadModule cert_auth_module libexec/mod_auth_cert.so AddModule mod_auth_cert.c # Not required for Apache 2.0to the appropriate places in your httpd.conf
username:subject dne.g:
jdoe:/C=ORG/ST=XY/L=Smallville/O=Foo Org./CN=John Doe/emailAddress=john.doe@foo.org fbar:/C=ORG/ST=XY/L=Smallville/O=Foo Org./CN=Foo Bar/emailAddress=foo.bar@foo.org
The module supports the following per Directory/Location directives:
For this module to work, you have to instruct mod_ssl to require Client Certificates:
SSLEngine on SSLCACertificateFile ... # When combining mod_auth_cert with basic authentication use "optional" # instead of "require" SSLVerifyClient require SSLVerify 10Have a look at the mod_ssl documentation for more information about these directives.
# Map client certificate to username, if user has no client certificate # or no mapping exists, the web server will return HTTP_FORBIDDEN <Location /> AuthType cert CertAuthMapFile conf/certmap require valid-user </Location>
# Combine certificate based authentication with authorization from mod_auth <Location /> AuthType cert CertAuthMapFile conf/certmap AuthGroupFile conf/mygroups require group admin </Location>
# Use certificate based authentication if possible or fallback to basic authentication <Location /> AuthType basic AuthName "My Realm" CertAuthAuthoritative off CertAuthMapFile conf/certmap AuthGroupFile conf/mygroups AuthUserFile conf/myusers require group admin </Location>