Web pages can be protected using certificates and an institional LDAP. If a page is accessed by a user without a valid certificate, or using a certificate whose subject is not listed in the LDAP, an error message is returned. This protection requires:
ssl_ldapcheck.php is a small class that reads the variables associated with a certificate and queries LDAP to see if the subject is listed there. The code relies on the web server to determine what certificates are acceptable. The ssl_ldapcheck class may be configured for environments besides Dartmouth College. The configuration variables and result messages are all easily customizable, and listed below.
//////////////////////////////////////////////////////////////////// // // configuration variables // ////////////////////////////////////////////////////////////////////// // the source for name checking $LDAP = "dnd.dartmouth.edu"; // the base DN for finding users $BASE_DN = "dc=dartmouth,dc=edu"; // a url or other source for certificates $CERT_SOURCE = "https://collegeca.dartmouth.edu"; // // result messages $VALID = "valid"; $GENERIC_ERROR = "Error in ssl_ldapcheck"; $NOT_IN_LDAP = " not found in ".$LDAP."."; $LDAP_UNREACHABLE = "Could not reach ".$LDAP." to confirm user identity."; $NO_CERT_INFO = "No certificate information found. Please try again using HTTPS. You may need to request a certificate from ".$CERT_SOURCE;
check_cert() function.
On webster, ssl_ldapcheck.php is in the global include_path, and therefore can just be referenced.
On other servers, it will be necessary to add ssl_ldapcheck.php to the cuurent directory, or elsewhere on the global include_path.
The server must be configured to request certificates on ssl access. At Dartmouth, that is accomplished by adding a .sslaccess file.
If check_cert() returns "valid", the user presented a certificate and the DN of the certificate was found in the LDAP.
Otherwise, an error code is returned explaining exactly why they weren't found.
You can get the source for ssl_ldapcheck.php here.
You can see the source for an example using ssl_ldapcheck.php here,
or click here to try it out.
To convert a .html file into a .php file, just change the extension.
PHP provides a layer of functionality that can be ignored unless it is needed.
More information about PHP can be found
here,
here and
elsewhere on the internet.
On webster, .htaccess files and .sslaccess files control access to files. The .sslaccess file contains the information required to enable certificate checking. An .sslaccess file containing the lines
SSLVerifyClient require SSLVerifyDepth 5tells the server to require certificates for https connections. If you would like to restrict access to the entire directory, you would use a .htaccess file line such as "deny from all". Other servers can be configured using the directions at https://www.dartmouth.edu/~pkilab/pages/Web_Access_Control.html.
A certificate authenticates that a person is who they claim to be. In this application, a certificate is proof that the person at one time had an affiliation with Dartmouth college. Currently, Dartmouth certificates are issued on the basis of DND validation. Thus, checking for a certificate is a proxy for direct DND validation.
Dartmouth Certificates are not necessarily revoked when a person leaves the college. Normally, they are allowed to expire one year after creation. The DND is a central repository of information about Dartmouth affiliation status. If someone's affiliation with the college ends, their certificate may still be valid, but their DND entry will be removed. In some cases, a certificate may be revoked upon termination, but that is not expected for most users.
You can click on this link to test the system.