TL/DR: How to setup second factor question besides SSLVerifyClient
?
Hi! Please excuse if this question is misplaced here. It’s more of an Apache config issue.
Trying to set up 2FA for a web application via the Apache plugin. The application uses user certificates via SSLVerifyClient optional
and the user certificate’s CN is tested against LDAP to assign a group.
If I now add the AuthBasicProvider wsgi
, the application does not receive the user certificate any more. It’s not PrivacyIDEA’s fault. AuthBasicProvider wsgi
works on an empty vhost.
- Tried via reverse proxy where the BasicAuth is in a separate vhost from the SSLVerifyClient, but that does not seem to work.
- Tried re-writing by setting
RequestHeader
, e.g.RequestHeader set SSL_SERVER_S_DN_CN "%{SSL_CLIENT_S_DN_CN}s"
Could you give me a hint how to troubleshoot or mitigate this?
Thanks a bunch!
Without 2nd factor:
<VirtualHost *:443>
ServerName application.company.corp
DocumentRoot /var/www/application/app/webroot
<Directory /var/www/application/app/webroot>
Options -Indexes
AllowOverride all
Order allow,deny
allow from all
</Directory>
SSLEngine On
SSLCertificateFile /etc/ssl/private/application.crt
SSLCertificateKeyFile /etc/ssl/private/application.key
SSLCACertificateFile /etc/ssl/private/sso_ca.crt
SSLOptions +StdEnvVars +ExportCertData
SSLVerifyClient optional
SSLVerifyDepth 1
SSLVerifyClient optional_no_ca
LogLevel warn
ErrorLog /var/log/apache2/application.local_error.log
CustomLog /var/log/apache2/application.local_access.log combined
ServerSignature Off
</VirtualHost>
From apache log:
[Wed May 23 15:19:10.942509 2018] [auth_basic:error] [pid 53746] [client 10.10.10.5:52002] AH01617: user exampleuser: authentication failure for "/index.htm": Password Mismatch
(...)
[Wed May 23 15:59:21.841165 2018] [auth_basic:error] [pid 53748] [client 10.10.10.5:64591] AH01617: user exampleuser: authentication failure for "/index.php": Password Mismatch
From privacyidea log:
[2018-05-23 15:59:18,712][15275][140603824219904][INFO][privacyidea.lib.user:230] user u'exampleuser' found in resolver u'LDAP_GROUPNAME'
[2018-05-23 15:59:18,712][15275][140603824219904][INFO][privacyidea.lib.user:231] userid resolved to '0d1cacd1-a859-a859-a859-08b942408aeb'