httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jan Pazdziora <>
Subject Using UPN from subjectAltName with SSLUserName
Date Thu, 18 Jun 2015 09:49:46 GMT


I've noticed that support for getting subjectAltName entries Email and
Type landed in 2.4.13, via r1676087.

We've come across another type in subjectAltName, Microsoft Universal
Principal Name (OID which would be useful to
retrieve from the certificate and use for subsequent authorization
and identity operations against Active Directory.

I've filed
	When user authenticates with certificate which has their
		Microsoft Universal Principal Name in subjectAltName,
		that UPN cannot be used with SSLUserName for further
		access controls

and included a patch which extends the original SAN support to

I'd appreciate any comments about suitability of such change, as well
as the implementation. Specifically, I'm not sure if people will
prefer the generic and currently proposed


which gets any value of otherName type, or perhaps going with


and checking the OID just for the UPNs. Based on that decision I plan
to then respin the patch with documentation changes included.

Thank you,

Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat

View raw message