plugin:authclientcert
Differences
This shows you the differences between two versions of the page.
Next revision | Previous revision | ||
plugin:authclientcert [2019-02-15 13:53] – created paweljasinski | plugin:authclientcert [2019-10-25 10:12] (current) – Dr-Yukon | ||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== | + | ====== |
---- plugin ---- | ---- plugin ---- | ||
- | description: | + | description: |
- | author | + | author |
email : pawel.jasinski@gmail.com | email : pawel.jasinski@gmail.com | ||
type : auth | type : auth | ||
- | lastupdate : 2019-02-15 | + | lastupdate : 2019-03-30 |
compatible : Greebo | compatible : Greebo | ||
depends | depends | ||
- | conflicts | + | conflicts |
similar | similar | ||
tags : authentication x509 smartcard | tags : authentication x509 smartcard | ||
- | downloadurl: | + | downloadurl: |
- | bugtracker : http:// | + | bugtracker : https:// |
- | sourcerepo : http:// | + | sourcerepo : https:// |
donationurl: | donationurl: | ||
Line 23: | Line 23: | ||
===== Description ===== | ===== Description ===== | ||
- | This plugin authenticate user based on content of client certificate provided by reverse proxy or web server. The certificate is picked up from _SERVER variable. Either SSL_CLIENT_CERT or any HTTP header can be configured as source of certificate. This plugin expects certificate in PEM format. The BEGIN/END CERTIFICATE fields are optional. | + | This plugin authenticate user based on content of client certificate provided by a reverse proxy or a web server. The certificate is picked up from the _SERVER variable. Either SSL_CLIENT_CERT or any HTTP header can be configured as a source of certificate. This plugin expects certificate in PEM format. The BEGIN/END CERTIFICATE fields are optional. |
- | The certificate validation | + | This plugin does not perform any certificate validation. It is up to the configured |
The following table shows mapping between certificate fields and user info. | The following table shows mapping between certificate fields and user info. | ||
- | ^Certificate | + | ^ Certificate |
- | |name employeeNumber (OID: | + | | name employeeNumber (OID: |
- | |extensions subjectAltName email |email| | + | | extensions subjectAltName email |email |
- | |subject CN | real name| | + | | subject CN | real name| |
+ | If the certificate is present and all of the above fields are not empty, a user is logged in. New users are created on the first login - random passwords are generated for consistency. | ||
- | If the certificate is present | + | Logging out and profile editing |
- | authclientcert uses authplain as backend storage. | + | |
+ | Authclientcert plugin uses [[plugin: | ||
===== Installation ===== | ===== Installation ===== | ||
- | Install the plugin using the [[plugin: | + | * Install the plugin using the [[plugin: |
- | + | | |
- | Disable anonymous access and self registration | + | |
- | + | | |
- | Select plugin as a authentication backend | + | |
- | + | | |
- | Configure reverse proxy to validate and deliver certificate in X_SSL_CLIENTCERT_BASE64 header | + | |
- | + | ||
- | Configure name of http header where certificate is delivered HTTP_X_SSL_CLIENTCERT_BASE64 | + | |
- | + | ||
- | Configure name of the group where new users are assigned. | + | |
===== Development ===== | ===== Development ===== | ||
Line 58: | Line 53: | ||
=== Change Log === | === Change Log === | ||
- | * **2019-02-15** | + | * **2019-02-16** |
* Initial release | * Initial release | ||
+ | * **2019-03-30** | ||
+ | * It is allowed to delete a user | ||
+ | * If login is password based, logout is enabled | ||
=== Known Bugs and Issues === | === Known Bugs and Issues === | ||
- | This plugin does not work with authchained. | + | This plugin does not work with [[plugin:authchained|authchained]]. |
=== ToDo/Wish List === | === ToDo/Wish List === | ||
The selection of the fields and mapping is hard coded to match content of a smartcard I have. It is very likely that the selection does not match your cetificate. | The selection of the fields and mapping is hard coded to match content of a smartcard I have. It is very likely that the selection does not match your cetificate. | ||
- | The easiest way to adjust it: edit plugins auth.php. | + | |
+ | The easiest way to adjust it is to edit plugins auth.php. | ||
Long term it make sense to capture most common cases as configuration. Please, let me know about your needs by opening an issue at [[https:// | Long term it make sense to capture most common cases as configuration. Please, let me know about your needs by opening an issue at [[https:// | ||
- | |||
===== FAQ ===== | ===== FAQ ===== | ||
- | |||
===== Discussion ===== | ===== Discussion ===== | ||
- | |||
- | |||
- | |||
plugin/authclientcert.1550235195.txt.gz · Last modified: 2019-02-15 13:53 by paweljasinski