3

In my environment, an external entity provides a Root CA & Intermediate CA(s). They issue thousands of smartcards with PKI certificates for authentication. They provide the Client Authentication (OID 1.3.6.1.5.5.7.3.2) inside the extended key usage, subject alternative name fields. This contains the user's unique ID number i.e. 12345@example.com, which is intended to be the user's Active Directory userPrincipalName (UPN).

These smart cards can be issued for as little as 30 days, or as long as 3 years, and leveraging the UPN for authentication allows users to maintain access when their smart card expires/breaks and they get a new one, without having to re-associate their certificates in Active Directory.

The above authentication scheme works from windows workstations, servers, linux servers and is immutable (outside of control).

Now, we are trying to setup HTTPD to authenticate these users with their PKI certificates using SSL/TLS Client Authentication. At the basic level of authenticating users if they have a PKI token signed by the intermediates and that isn't revoked by CRL or OCSP work.

What we are trying to do is associate their PKI session with their active directory account, so we can do authorization based on Active Directory security group membership.

We can extract the UPN, but it seems there is no way to bridge the mod_ssl client authentication into mod_authnz_ldap authorization scheme.

Below is our proof of concept httpd configuration.

Listen 443 https
<VirtualHost _default_:443>
    SSLEngine on
    .... standard SSL options ....
    <Location /secure-pki>
        SSLVerifyClient require
        SSLVerifyDepth 2

        # How do we map the SSL_CLIENT_SAN_OTHER_msUPN_0 environment variable so mod_authnz_ldap uses it?

        AuthLDAPBindDN "httpd@example.com"
        AuthLDAPBindPassword "apassword"
        AuthLDAPURL "ldaps://ldap1.example.com ldap2.example.com:3269/dc=example,dc=com?userPrincipalName?sub?(objectClass=user)"
        Require ldap-group cn=Managers,ou=Groups,dc=example,dc=com
    </Location>
</VirtualHost>

So, in essense we can't figure out how to map the SSL_CLIENT_SAN_OTHER_msUPN_0 environment variable to mod_authnz_ldap's username so mod_authnz_ldap uses it for the authorization check.

ruckc
  • 131
  • 3
  • I don’t think you can query active directory like this without authenticating. How are you authenticating to AD so you can query group membership? You could pass through the user’s credentials or set a service account. But this is a little bit out of my league, so I may be wrong. – Appleoddity Nov 11 '17 at 04:24
  • This may be useful: https://stackoverflow.com/questions/7635380/apache-ssl-client-certificate-ldap-authorizations – Joshua Griffiths Nov 11 '17 at 10:30
  • @Appleoddity I was trying to keep the example simple, i added binding with a service account. – ruckc Nov 11 '17 at 15:25
  • @JoshuaGriffiths that example shows using the certificate DN's CN to tie to the ldap account, as it sets that as the username. I need to extract the username from Active Directory LDAP (sAMAccountName) as that is what needs to be set in REMOTE_USER. – ruckc Nov 11 '17 at 15:27

0 Answers0