[horde] Horde authentication with client SSL digital certificates

[Cliff Green]

On Jun 4 at 10:23pm, Fabio Pietrosanti wrote:

FP> I would like to know about which can be modules that would need to be
FP> modified in order to be able to authenticate users with client side SSL
FP> certificates.
FP> 
FP> Are there some quick hack to implement such kind of functionality?

You should be able to use the Basic Auth backend.  Apache, for example, 
uses the 'FakeBasicAuth' directive to permit this (see below), and *I'm 
going to assume you're using Apache* - these comments probably won't help 
if you're not.  You may have to use 'plain' as the password encryption 
type (dunno, haven't tried this with Horde), but if you're using Apache as 
your webserver, you would setup authentication within either the virtual 
host or directory directive stanza for your Horde services.  You should 
read the SSL/TLS Strong Encryption How-To in the Apache man pages, 
specifically looking for Client Authentication, since YMMV.  After that, 
you'll have to work out some kind of hook to allow authentication to your 
mail backend (I'm assuming some other service, like imap, since you didn't 
go into any detail about the relationship between your Horde server and 
what services you're offering).
  
However, we've used the following directives successfully:

(beware of long line wrapping in this cut'n'paste, and note inline 
comments in square brackets)

<--fairly strict auth requirements for one or two administrators begin-->
    <Directory [absolute path to directory for service, in quotes]>
        SSLOptions  +StdEnvVars +ExportCertData +FakeBasicAuth
+OptRenegotiate +CompatEnvVars
        SSLVerifyClient   require
        SSLVerifyDepth    5
        SSLRequireSSL
        SSLRequire        %{SSL_CLIENT_I_DN_CN} eq  [text of the CN of the 
Issuer DN of client's certificate]
                          and %{SSL_CLIENT_S_DN_O}  [text of the O of the 
Subject DN in client's certificate]
                          and %{SSL_CLIENT_S_DN_CN} [text of the CN of one 
or more comma delimited Subject DNs in one or more clients' certificates]
}

    </Directory>
<---fairly strict auth requirements for one or two administrators end--->


Or, more to your needs (note that we use custom error messages for 
failures here - basically adding a strong FORBIDDEN warning for 
trespassers):

<--requirements for many users with certs from a given CA begin-->
    <Directory [path to directory where the application lives]>
        SSLOptions  +StdEnvVars +ExportCertData +OptRenegotiate 
+FakeBasicAuth
        SSLVerifyClient   required
        SSLVerifyDepth    5
        SSLRequireSSL
        SSLRequire %{SSL_CLIENT_I_DN_CN} eq [text of CN of Issuer DN of 
client's certificate] \
                and %{SSL_CLIENT_S_DN_O} eq [text of O of Subject DN in 
client's certificate] \
                and %{SSL_CLIENT_S_DN_OU} eq text of OU of Subject DN in 
client's certificate]
        ErrorDocument 403 /custom/403.html
        ErrorDocument 500 /custom/403.html
    </Directory>
<---requirements for many users with certs from a given CA end--->


You *will* want to read the mod_ssl docs as well, for deciphering the 
certificate-specific environment variables (as above);  you will want to 
choose the ones relevant to your use.

You *will* want to adjust some of the values above (like SSLVerifyDepth) 
for your own needs.  Do *NOT* just plug in these values.

Hope this helps,

c
-- 
Clifford Green                   Internet -  green at umdnj.edu
Business Systems & Technologies                    UMDNJ-IST
90% of being smart is knowing what you're dumb at.