In my environment, an external entity provides a Root CA & Intermediate CA(s). They issue thousands of smartcards with PKI certificates for authentication. They provide the Client Authentication (OID 1.3.6.1.5.5.7.3.2) inside the extended key usage, subject alternative name fields. This contains the user's unique ID number i.e. 12345@example.com, which is intended to be the user's Active Directory userPrincipalName (UPN).
These smart cards can be issued for as little as 30 days, or as long as 3 years, and leveraging the UPN for authentication allows users to maintain access when their smart card expires/breaks and they get a new one, without having to re-associate their certificates in Active Directory.
The above authentication scheme works from windows workstations, servers, linux servers and is immutable (outside of control).
Now, we are trying to setup HTTPD to authenticate these users with their PKI certificates using SSL/TLS Client Authentication. At the basic level of authenticating users if they have a PKI token signed by the intermediates and that isn't revoked by CRL or OCSP work.
What we are trying to do is associate their PKI session with their active directory account, so we can do authorization based on Active Directory security group membership.
We can extract the UPN, but it seems there is no way to bridge the mod_ssl client authentication into mod_authnz_ldap authorization scheme.
Below is our proof of concept httpd configuration.
Listen 443 https
<VirtualHost _default_:443>
SSLEngine on
.... standard SSL options ....
<Location /secure-pki>
SSLVerifyClient require
SSLVerifyDepth 2
# How do we map the SSL_CLIENT_SAN_OTHER_msUPN_0 environment variable so mod_authnz_ldap uses it?
AuthLDAPBindDN "httpd@example.com"
AuthLDAPBindPassword "apassword"
AuthLDAPURL "ldaps://ldap1.example.com ldap2.example.com:3269/dc=example,dc=com?userPrincipalName?sub?(objectClass=user)"
Require ldap-group cn=Managers,ou=Groups,dc=example,dc=com
</Location>
</VirtualHost>
So, in essense we can't figure out how to map the SSL_CLIENT_SAN_OTHER_msUPN_0 environment variable to mod_authnz_ldap's username so mod_authnz_ldap uses it for the authorization check.