Hello,I've installed mod_auth_radius and am trying to send part of a client certificate DN as the username.
What I'm doing is:
SSLCACertificateFile /CA.pem
<Location /ssltest>
SSLVerifyClient require
SSLVerifyDepth 99
SSLOptions +FakeBasicAuth
SSLUserName SSL_CLIENT_S_DN_CN
AuthType basic
AuthName "Cert"
AuthBasicProvider radius
# AuthBasicFake "%{SSL_CLIENT_S_DN_CN}"
<RequireAny>
Require valid-user
</RequireAny>
</Location>
I haven't found out how to only send part of the DN to Radius.
"SSLOptions +FakeBasicAuth" transmits entire DN.
Adding "SSLUserName SSL_CLIENT_S_DN_CN" still transmits entire DN.
Adding "AuthBasicFake "%{SSL_CLIENT_S_DN_CN}"" still transmits entire DN.
Without "SSLOptions +FakeBasicAuth" no Radius request is ever made,
indepedently of whether SSLUserName and/or AuthBasicFake is set or not.
How do I send _part of_ the DN to Radius for authentication? I feel this may have to do with this: https://bz.apache.org/bugzilla/show_bug.cgi?id=52616 https://bz.apache.org/bugzilla/show_bug.cgi?id=31418 But there haven't been any updates in a long time. What's the current state?In any case, the server does not seem to behave like the documentation suggests, see https://httpd.apache.org/docs/trunk/mod/mod_ssl.html#sslusername
"When the FakeBasicAuth option is enabled, this directive instead controls the value of the username embedded within the basic authentication header (see SSLOptions)."
Thanks, Marki (Apache 2.4.23) --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|