Opened 17 years ago
Last modified 10 years ago
#6982 new enhancement
x509 with friendly name support
Reported by: | Owned by: | ||
---|---|---|---|
Priority: | normal | Milestone: | unscheduled |
Component: | web frontend | Version: | |
Severity: | normal | Keywords: | x509 httpd.conf pki |
Cc: | dirkx@…, Ryan J Ollos | Branch: | |
Release Notes: | |||
API Changes: | |||
Internal Changes: |
Description
Below is a small patch for those using x509 support - e.g. an apache config as below to allow access based on x509 certs. The reason for doing this is that otherwise the strings shown become very long and wieldy.
One item of note - in a lot of sites the x509 contains the email address; in a lot of other non x509 (e.g. htpasswd sites) the userid can be combined ith some FQDN to become the user their valid email address. Hence it may be useful to at some point add an extra field, email to the current interface.
Note that this is NOT the same as using
SSLUserName SSL_CLIENT_S_DN_CN
(See http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslusername) in your httpd.conf - as with this feature we try to preserve all captured information (i.e. full DN in svn, so we can do XS controls and do this over many years - where the CN may well be not unique).
See test/example config below.
Dw.
Attachments (3)
Change History (10)
by , 17 years ago
Attachment: | setup-ca.sh added |
---|
comment:1 by , 17 years ago
Hi,
I was just wondering if this patch was applied to the 0.11 codebase?
Thanks,
Aaron
comment:2 by , 17 years ago
No, nor would I think it will be. This is a pretty rare use case, and probably should be a plugin. Just subclass LoginModule.
comment:3 by , 17 years ago
Hi,
Ok. How about things like the user/group database and or roles db?
I assume that the userid is an independent primary key that maps to the "pretty user name" so no changes would need to be made or am I incorrect? Thus, groups, roles, etc could remain oblivious to the fact that a SC CN was used to identify and validate the user and populate the user session object, etc etc.
If this isn't the case, I assume some more subclassing could fix it up?
Also, given that SVN can now grok x509 data, what module would need to be subclassed to pass the known user smart card CN to the login data for the SVN server?
Thanks,
Aaron
comment:4 by , 16 years ago
Milestone: | → 2.0 |
---|
comment:5 by , 15 years ago
Cc: | added |
---|
comment:8 by , 10 years ago
Cc: | added; removed |
---|
Script to setup a root ca, server certificate and client test certificate