httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marki <apache-us...@lists.roth.lu>
Subject [users@httpd] Radius AAA, transmit part of client certificate DN as username
Date Sat, 26 Sep 2020 13:46:38 GMT
Hello,

I've installed mod_auth_radius and am trying to send part of a client 
certificate DN as the username.

What I'm doing is:

   SSLCACertificateFile /CA.pem
   <Location /ssltest>
     SSLVerifyClient require
     SSLVerifyDepth 99
     SSLOptions +FakeBasicAuth
     SSLUserName SSL_CLIENT_S_DN_CN

     AuthType basic
     AuthName "Cert"
     AuthBasicProvider radius
#    AuthBasicFake "%{SSL_CLIENT_S_DN_CN}"

     <RequireAny>
       Require valid-user
     </RequireAny>
   </Location>

I haven't found out how to only send part of the DN to Radius.

"SSLOptions +FakeBasicAuth" transmits entire DN.

Adding "SSLUserName SSL_CLIENT_S_DN_CN" still transmits entire DN.

Adding "AuthBasicFake "%{SSL_CLIENT_S_DN_CN}"" still transmits entire DN.

Without "SSLOptions +FakeBasicAuth" no Radius request is ever made, 
indepedently of whether SSLUserName and/or AuthBasicFake is set or not.

How do I send _part of_ the DN to Radius for authentication?

I feel this may have to do with this:
https://bz.apache.org/bugzilla/show_bug.cgi?id=52616
https://bz.apache.org/bugzilla/show_bug.cgi?id=31418

But there haven't been any updates in a long time. What's the current state?
In any case, the server does not seem to behave like the documentation 
suggests, see 
https://httpd.apache.org/docs/trunk/mod/mod_ssl.html#sslusername

"When the FakeBasicAuth option is enabled, this directive instead 
controls the value of the username embedded within the basic 
authentication header (see SSLOptions)."

Thanks,
Marki

(Apache 2.4.23)



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message