I've read about this topic in mailing list but I didn't found the solution.
I want validate LDAP users against Apache using the certificates than the user store in LDAP.
I mean, I create and store the X509 certificates in LDAP. Afterwards I send to my clients the certificate and they install those certificates in their browsers.
Now I want validate the users using the certificate instead of the user-name and the password.
I've reading about third party modules (ModXAuthLDAP, mod_authz_ldap) but they are very old and don't work in Apache 2.2.
I’d be interested in comments and some kind of solution to do this authentication process.
Kind regards
Martín Sánchez
Related
I have a question regarding signing with SSL. I need to sign an application (.exe) written in Delphi. At the same time I also want to sign an Internet Portal with which the application communicate. My question is: does signing services generally provide also the certificate for the application either the certificate for the site? Can you sign the application with the same certificate or do you need another certificate? Can you sign multiple applications with the same certificate?
Thanks in advance.
Alberto
You need 2 certificates: One for code signing (that is, signing the .exe) and one for SSL (for the website).
You can not sign the application using the same cert as your are using for SSL.
You can sign as many applications with your code signing certificate as you like.
You may or may not use the SSL cert for multiple hosts (e.g.: blog.domain.com, www.domain.com, chat.domina.com, static.domain.com...), this depends on the type of certificate you are using.
Also: Please note that you can get free SSL certificates (e.g.: LetsEncrypt provides them, and azure website can use free "managed" certs from microsoft.). However, to my knowledge, there are no free code signing certificates.
There are some way to implementing login in my WebApplication MVC with digital certificate x590?
Using PKIjs (https://pkijs.org/) or another way is possible list all digital certificate stored in client side?
tks
Luciano Castro
Author of PKI.js here.
It is not possible with PKI.js or any other pure JavaScript solution to read certs in the local certificate store.
PKIjs and Forge provide for the browser sandbox to implement X.509 related concepts, but does not allow you to escape the browser same-origin security policy.
I am currently working in IBM's Domino(8.52). I have the website set up with SSL and to accept certificates. For the time being I am allowing "Anonymous" access over SSL. The user is prompted to select a certificate when trying to get to web site. But if the user selects cancel button, the user is returned to web site as an Anonymous user. Is there any way to control where the user will go if a certificate is NOT selected? I would like a server wide solution but would like any possible coding ideas.
V/R,
Kev
How's the weather in VA?
The problem is that you are using the promoteunknowncerttoanonymous=1 ini setting; so you will not see the names on cert of users unless they have a corresponding x.509 loaded in the person doc.
Remove the ini setting, Disallow anonymous and username/password from both 80 and 443 in server doc, make sure your root x.509 cert is in the keyring, and you should start seeing the usernames from the certs. You will now need to manage the Default setting in all db ACLs, and Anonymous will not be used.
Does anybody has a WebLogic 8.1 two-way SSL full example?
I am developing a small web application (1 HTML, 1 Servlet, 1 JSP) to send confidential data. The client could be a web browser. The server is WebLogic 8.1.
The information should travel encrypted. Besides, the web application needs to authenticate the client, using more than a username/password combination. I thought implementing using HTTPS and two-way SSL authentication. This way, the user should send me her certificate, I installed in the server, so the web application could know when it is sending information.
Now, I know how to use declarative authorization in a web application, but I am lost on how specify which users I recognize, and which are their certificates.
I just need a full example of this. A .war and/or the steps to do the basic case.
I don't think you'll find a full example easily and the question is a bit broad. But the link your provided is a very good starting point.
First configure Two-Way SSL and use CLIENT-CERT. Clients will need to buy a trusted client certificate or to generate a self-signed certificate that you'll need to add to the server trust store. This may be the hardest part if you're not familiar with PKI but I've added resources at the end of this answer that cover this part. Load the client certificate in each client browsers.
Second, configure an Identity Assertion provider to map the digital certificate of a Web browser to a user in a WebLogic Server security realm. If required, provide your own user name mapper or use the default one (which uses the attributes from the subject DN of the digital certificate or the distinguished name to map to the appropriate user in the WebLogic Server security realm).
Third, add users corresponding to the Subject's Distinguished Name (SubjectDN) attribute in the client's digital certificate in Weblogic Security Realm and assign them to groups.
Finally, use these groups in your declarative authorizations.
Sure, it won't be that easy if everything is new but that's basically what you need to do. Maybe start to implement it and open more specific questions if you need more guidance.
More resources:
Two-Way SSL in Weblogic for Developers
The Fifteen Minute Guide to Mutual Authentication
Certificate to User Mapping in WebLogic
How to Set Up X509 Certificate Authentication for Oracle WebLogic Server (transposable to WLS 8.1)
I have a site that is using x509 client certificates (2 way SSL) to authenticate users and an LDAP directory that contains authorization information. I would like to use one of the certificate attributes to query the directory ( SSL_CLIENT_S_DN_CN to be exact ). I see how to use mod_ssl to use the user's client certificates for authentication and I see how to use mod_auth_ldap and the like to use the username from basic or form based authentication to query the LDAP store for authorization. What I haven't seen a good example for is how to use an attribute of the user's client certificate in place of the username to query the LDAP. Any ideas?
A module exists for apache 2.2.x: modXLDAPAuth
this might help: settingcerts + mod_authnz_ldap (authldapurl)