Edgewall Software
Modify

Opened 17 years ago

Last modified 10 years ago

#6982 new enhancement

x509 with friendly name support

Reported by: dirkx@… Owned by:
Priority: normal Milestone: unscheduled
Component: web frontend Version:
Severity: normal Keywords: x509 httpd.conf pki
Cc: dirkx@…, Ryan J Ollos Branch:
Release Notes:
API Changes:
Internal Changes:

Description

Below is a small patch for those using x509 support - e.g. an apache config as below to allow access based on x509 certs. The reason for doing this is that otherwise the strings shown become very long and wieldy.

One item of note - in a lot of sites the x509 contains the email address; in a lot of other non x509 (e.g. htpasswd sites) the userid can be combined ith some FQDN to become the user their valid email address. Hence it may be useful to at some point add an extra field, email to the current interface.

Note that this is NOT the same as using

SSLUserName SSL_CLIENT_S_DN_CN

(See http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslusername) in your httpd.conf - as with this feature we try to preserve all captured information (i.e. full DN in svn, so we can do XS controls and do this over many years - where the CN may well be not unique).

See test/example config below.

Dw.

Attachments (3)

setup-ca.sh (1.4 KB ) - added by dirkx@… 17 years ago.
Script to setup a root ca, server certificate and client test certificate
x509-strip-patch.txt (1.6 KB ) - added by dirkx@… 17 years ago.
x509 patch against trunk (r6673)
httpd-snippet.txt (1.8 KB ) - added by dirkx@… 17 years ago.
httpd.conf snipped to test the patch

Download all attachments as: .zip

Change History (10)

by dirkx@…, 17 years ago

Attachment: setup-ca.sh added

Script to setup a root ca, server certificate and client test certificate

by dirkx@…, 17 years ago

Attachment: x509-strip-patch.txt added

x509 patch against trunk (r6673)

by dirkx@…, 17 years ago

Attachment: httpd-snippet.txt added

httpd.conf snipped to test the patch

comment:1 by lippold@…, 17 years ago

Hi,

I was just wondering if this patch was applied to the 0.11 codebase?

Thanks,

Aaron

comment:2 by Noah Kantrowitz, 17 years ago

No, nor would I think it will be. This is a pretty rare use case, and probably should be a plugin. Just subclass LoginModule.

comment:3 by aaronlippold, 17 years ago

Hi,

Ok. How about things like the user/group database and or roles db?

I assume that the userid is an independent primary key that maps to the "pretty user name" so no changes would need to be made or am I incorrect? Thus, groups, roles, etc could remain oblivious to the fact that a SC CN was used to identify and validate the user and populate the user session object, etc etc.

If this isn't the case, I assume some more subclassing could fix it up?

Also, given that SVN can now grok x509 data, what module would need to be subclassed to pass the known user smart card CN to the login data for the SVN server?

Thanks,

Aaron

comment:4 by Remy Blank, 16 years ago

Milestone: 2.0

comment:5 by Ryan Ollos <ryano@…>, 15 years ago

Cc: ryano@… added

comment:6 by Christian Boos, 15 years ago

Milestone: 2.0unscheduled

Milestone 2.0 deleted

comment:8 by Ryan J Ollos, 10 years ago

Cc: Ryan J Ollos added; ryano@… removed

Modify Ticket

Change Properties
Set your email in Preferences
Action
as new The ticket will remain with no owner.
The ticket will be disowned.
as The resolution will be set. Next status will be 'closed'.
The owner will be changed from (none) to anonymous. Next status will be 'assigned'.

Add Comment


E-mail address and name can be saved in the Preferences .
 
Note: See TracTickets for help on using tickets.