Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
I'm trying to login with a client certificate (a smartcard) but I'm a bit confused. The site needs to prompt me to select a certificate, but does not. I know how to set this up in Apache (SSLVerifyClient require) which works stand-alone, but that doesn't allow me to pass the cert to Drupal. Should this module do that for me? If not, do you have any suggestions?
Thanks
Comments
Comment #1
daleeman CreditAttribution: daleeman commentedNevermind; it works like it should, I think (though It doesn't do completely what I'm looking for). I'm hoping to find a way to validate a certificate outside of Apache. This means I need to somehow get PHP to send the certificate request to the browser rather than Apache. If anyone has any suggestions, let me know, please!!
Comment #2
flamingvan CreditAttribution: flamingvan commentedSorry I don't know how to help with that. My knowledge of certificates is actually pretty limited at the moment.
Comment #3
daleeman CreditAttribution: daleeman commentedI'm changing this to "By Design" as it works the way you intended for it to.
There are a few ways to do client certificate validation (my knowledge being limited to Apache). The first is to set an entire directory/webroot as requiring a certificate. However, if you want a landing page (not requiring a certificate) or to manage multiple directories that are not certificate-validated, this module wont really help you.
What I ended up doing was creating a new module to handle logins via a token. The token is created in a protected directory (requiring the access card), saved in the DB (relating the CN to the token), passed to Drupal, and verified in the DB. Once the login is verified in my module, I load the appropriate profile based on a map table (uid, CN). Sounds a little convoluted, but it works pretty well.
THIS module, however, reads the certificate data assuming it has already been sent...it just doesn't make the browser request it (which I have yet to figure out how you would do that).