Mailing-List: contact modperl-help@perl.apache.org; run by ezmlm
Precedence: bulk
Received-SPF: pass (asf.osuosl.org: local policy)
From: "Dennis Sinelnikov" <dennis.sinelnikov@augustschell.com>
To: "'Tom Schindl'" <tomAtLinux@gmx.at>
Cc: <modperl@perl.apache.org>
Subject: RE: Controlling subversion access
Date: Sun, 26 Mar 2006 10:13:30 -0500
MIME-Version: 1.0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit
Thread-Index: AcZQvQ1eM4hOQFXtT4GewuvocmgCJQAKWqcA
In-Reply-To: <442667C6.7090601@gmx.at>
Message-Id: <20060326151350.949B410FB00A@asf.osuosl.org>

Hello Tom & mod_perlers,

Here is what I'm running:
Apache 2.2.0
mod_perl 2.0
OpenSSL 0.9.7a
mod_ssl 2.2.0

Ok, more info... 

Here is the code in my httpd-ssl.conf that works:
<Location /svn>
  DAV svn
  SVNPath /home/svnroot
  SSLUserName SSL_CLIENT_S_DN_CN
  AuthzSVNAccessFile /usr/local/apache2/conf/svnauthorization
</Location>

However, I need the UID, and SSL_CLIENT_S_DN_UID is not getting set, 
that's why I decided to go the <Perl> route.
I need to mimick exactly the samething as above but only parse the 
SSL_CLIENT_S_DN to get the UID and set SSLUserName.  

Thanks all,
Dennis
-----Original Message-----
From: Tom Schindl [mailto:tomAtLinux@gmx.at] 
Sent: Sunday, March 26, 2006 5:07 AM
To: Dennis Sinelnikov
Cc: modperl@perl.apache.org
Subject: Re: Controlling subversion access

Hi Dennis,

first of all it would be nice if you could tell us what version of
Apache/mod-perl you are running. Second I'm not sure I userstand what
you are trying to do because I'm not very familiar with SSL and DAV.

If I'm not completely mistaken things like $ENV{SSL_CLIENT_S_DN} are set
on request time and not on startup where the perl-sections in your
httpd.conf are parsed. What you need to implement is a handler which is
working after mod_ssl has done it's job and before mod_dav is doing its
job but therefore you must know in which phase of Apache they are working.

If elaborate a bit more I'm sure we (mod_perl) can help you ;-)

Tom

Dennis Sinelnikov wrote:
> Dear fellow developers,
> 
>  
> 
> Here is what I'm trying to do in my httpd-ssl.conf:
> 
>  
> 
> <Perl>
> 
> $client_dn = $ENV{SSL_CLIENT_S_DN};
> 
> $client_dn =~ /.*UID=(.*)$/;
> 
> $client_uid = $1;
> 
>  
> 
>   $Location{"/svnroot"} = {
> 
>         DAV => 'svn',
> 
>         SVNPath => '/home/svnroot',
> 
>         SSLUserName => $client_uid,
> 
>         AuthzSVNAccessFile => '/usr/local/apache2/conf/svnauthorization'
> 
>         }
> 
> </Perl>
> 
>  
> 
> Obviously, the above code is not quite right (otherwise I would not be
> emailing everyone ;)
> 
> Basically, I'm trying to parse the UID off of the Client's certificate
> DN and use it to set SSLUserName, so I can later use that uid in
> svnauthorization file to control read/write privileges of my subversion
> repository per user basis.  The reason why I need to parse UID off of
> the DN is because for some reason SSL_CLIENT_S_DN_UID is not getting
> set, but I see it in my log when I log the full DN (bug?).  If anyone
> had to do similar authorization using the client cert, please let me
> know and any suggestions are welcome. 
> 
> Thanks much!
> 
> Dennis
>