Authenticating to web pages with PKI certificates in Apache has been discussed in other sections of this site. Several sites, however, have already established authentication solutions deployed, such as KClient / Sidecar at Dartmouth College.
It is possible to combine PKI with a Kerberos/Sidecar solution, in environments that have an installed base that use the latter already. The ideal solution has failover from PKI to Kerberos/Sidecar, so that if a user does not have a valid certificate, they can attempt to authenticate themselves with a Kerberos ticket. Only if the latter fails will the user get an "Authentication Denied" message.
In Dartmouth, Kerberos/Sidecar-based authentication is done either through CGI scripts or through an Apache module called mod_sidecar. Work is being done currently on getting mod_sidecar to recognize PKI authentication, but until that is finished, a CGI solution will have to do.
ScriptAlias /cgi-bin/ "/usr/local/apache/htdocs/cgi-bin/" <Directory "/usr/local/apache/htdocs/cgi-bin"> AllowOverride limit authconfig Options None Order allow,deny Allow from all </Directory>
RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} !Mac_PowerPC
RewriteRule ^/(.*) https://dev.dartmouth.edu/$1 [L,R]
RewriteCond %{REQUEST_URI} !authenticate.pl
RewriteRule ^/downloads/secured/(.+)$ /cgi-bin/authenticate.pl?file=$1 [L,R]
Note, this rewrite rule redirects non-MacIE users to the https port. A
similar rule should be implemented in the SSL server's virtual host directive,
but it shoudl not include the IE redirect.
Dartmouth College PKI Lab
Last update: 6 February 2004