httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jan Pazdziora <jpazdzi...@redhat.com>
Subject Using UPN from subjectAltName with SSLUserName
Date Thu, 18 Jun 2015 09:49:46 GMT

Hello,

I've noticed that support for getting subjectAltName entries Email and
Type landed in 2.4.13, via r1676087.

We've come across another type in subjectAltName, Microsoft Universal
Principal Name (OID 1.3.6.1.4.1.311.20.2.3) which would be useful to
retrieve from the certificate and use for subsequent authorization
and identity operations against Active Directory.

I've filed

	https://bz.apache.org/bugzilla/show_bug.cgi?id=58020
	When user authenticates with certificate which has their
		Microsoft Universal Principal Name in subjectAltName,
		that UPN cannot be used with SSLUserName for further
		access controls

and included a patch which extends the original SAN support to
otherName.

I'd appreciate any comments about suitability of such change, as well
as the implementation. Specifically, I'm not sure if people will
prefer the generic and currently proposed

	SSL_CLIENT_SAN_otherName_n

which gets any value of otherName type, or perhaps going with

	SSL_CLIENT_SAN_UPN_n

and checking the OID just for the UPNs. Based on that decision I plan
to then respin the patch with documentation changes included.

Thank you,

-- 
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat

Mime
View raw message