be used for access control. The user name is just the Subject of the
Client's X509 Certificate (can be determined by running OpenSSL's
<code>openssl x509</code> command: <code>openssl x509 -noout -subject -in
- </code><em>certificate</em><code>.crt</code>). Note that no password is
- obtained from the user. Every entry in the user file needs this password:
- ``<code>xxj31ZMTZzkVA</code>'', which is the DES-encrypted version of the
- word `<code>password</code>''. Those who live under MD5-based encryption
- (for instance under FreeBSD or BSD/OS, etc.) should use the following MD5
- hash of the same word: ``<code>$1$OXLyS...$Owx8s2/m9/gfkcRVXzgoE/</code>''.</p>
+ </code><em>certificate</em><code>.crt</code>). The optional <directive
+ module="mod_ssl">SSLUserName</directive> directive can be used to
+ specify which part of the certificate Subject is embedded in the username.
+ Note that no password is obtained from the user. Every entry in the user
+ file needs this password: ``<code>xxj31ZMTZzkVA</code>'', which is the
+ DES-encrypted version of the word `<code>password</code>''. Those who
+ live under MD5-based encryption (for instance under FreeBSD or BSD/OS,
+ etc.) should use the following MD5 hash of the same word:
+ ``<code>$1$OXLyS...$Owx8s2/m9/gfkcRVXzgoE/</code>''.</p>
</li>
<li><code>StrictRequire</code>
<p>
<code>REMOTE_USER</code> to be set. The <em>varname</em> can be
any of the <a href="#envvars">SSL environment variables</a>.</p>
-<p>Note that this directive has no effect if the
-<code>FakeBasicAuth</code> option is used (see <a
-href="#ssloptions">SSLOptions</a>).</p>
+<p>When the <code>FakeBasicAuth</code> option is enabled, this directive
+instead controls the value of the username embedded within the basic
+authentication header (see <a href="#ssloptions">SSLOptions</a>).</p>
<example><title>Example</title>
<highlight language="config">
SSLConnRec *sslconn = myConnConfig(r->connection);
SSLSrvConfigRec *sc = mySrvConfig(r->server);
SSLDirConfigRec *dc = myDirConfig(r);
- char *clientdn;
+ char *user;
const char *auth_line, *username, *password;
/*
OPENSSL_free(cp);
}
- clientdn = (char *)sslconn->client_dn;
+ /* use SSLUserName if defined, otherwise use the full client DN */
+ if (dc->szUserName) {
+ user = ssl_var_lookup(r->pool, r->server, r->connection,
+ r, (char *)dc->szUserName);
+ if (!user || !user[0]) {
+ ap_log_rerror(
+ APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(02434) "Failed to set FakeBasicAuth username to '%s', did not exist in certificate", dc->szUserName);
+ return DECLINED;
+ }
+ }
+ else {
+ user = (char *)sslconn->client_dn;
+ }
/*
* Fake a password - which one would be immaterial, as, it seems, an empty
*/
auth_line = apr_pstrcat(r->pool, "Basic ",
ap_pbase64encode(r->pool,
- apr_pstrcat(r->pool, clientdn,
+ apr_pstrcat(r->pool, user,
":password", NULL)),
NULL);
apr_table_setn(r->headers_in, "Authorization", auth_line);
projects / apache / commitdiff