Hello Tom & mod_perlers,
Here is what I'm running:
Apache 2.2.0
mod_perl 2.0
OpenSSL 0.9.7a
mod_ssl 2.2.0
Ok, more info...
Here is the code in my httpd-ssl.conf that works:
<Location /svn>
DAV svn
SVNPath /home/svnroot
SSLUserName SSL_CLIENT_S_DN_CN
AuthzSVNAccessFile /usr/local/apache2/conf/svnauthorization
</Location>
However, I need the UID, and SSL_CLIENT_S_DN_UID is not getting set,
that's why I decided to go the <Perl> route.
I need to mimick exactly the samething as above but only parse the
SSL_CLIENT_S_DN to get the UID and set SSLUserName.
Thanks all,
Dennis
-----Original Message-----
From: Tom Schindl [mailto:tomAtLinux@gmx.at]
Sent: Sunday, March 26, 2006 5:07 AM
To: Dennis Sinelnikov
Cc: modperl@perl.apache.org
Subject: Re: Controlling subversion access
Hi Dennis,
first of all it would be nice if you could tell us what version of
Apache/mod-perl you are running. Second I'm not sure I userstand what
you are trying to do because I'm not very familiar with SSL and DAV.
If I'm not completely mistaken things like $ENV{SSL_CLIENT_S_DN} are set
on request time and not on startup where the perl-sections in your
httpd.conf are parsed. What you need to implement is a handler which is
working after mod_ssl has done it's job and before mod_dav is doing its
job but therefore you must know in which phase of Apache they are working.
If elaborate a bit more I'm sure we (mod_perl) can help you ;-)
Tom
Dennis Sinelnikov wrote:
> Dear fellow developers,
>
>
>
> Here is what I'm trying to do in my httpd-ssl.conf:
>
>
>
> <Perl>
>
> $client_dn = $ENV{SSL_CLIENT_S_DN};
>
> $client_dn =~ /.*UID=(.*)$/;
>
> $client_uid = $1;
>
>
>
> $Location{"/svnroot"} = {
>
> DAV => 'svn',
>
> SVNPath => '/home/svnroot',
>
> SSLUserName => $client_uid,
>
> AuthzSVNAccessFile => '/usr/local/apache2/conf/svnauthorization'
>
> }
>
> </Perl>
>
>
>
> Obviously, the above code is not quite right (otherwise I would not be
> emailing everyone ;)
>
> Basically, I'm trying to parse the UID off of the Client's certificate
> DN and use it to set SSLUserName, so I can later use that uid in
> svnauthorization file to control read/write privileges of my subversion
> repository per user basis. The reason why I need to parse UID off of
> the DN is because for some reason SSL_CLIENT_S_DN_UID is not getting
> set, but I see it in my log when I log the full DN (bug?). If anyone
> had to do similar authorization using the client cert, please let me
> know and any suggestions are welcome.
>
> Thanks much!
>
> Dennis
>
|