On 02.11.2014 15:44, Graham Leggett wrote: > Currently the application in this case is mod_authnz_ldap. While it > is possible to build a complex expression to match a series of DNs, > you are limited in knowing the length of the chain in advance, and in > my case that isn’t possible - chains may be of arbitrary length.
Given that ssl_var_lookup() is available for use in other modules, and provided that in addition SSL_CLIENT_S_DN_n, we would export an additional variable with the chain length (SSL_CLIENT_CERT_CHAIN_LENGTH or similar), wouldn't it be possible to do the manipulations required by mod_authnz_ldap in that module? mod_ssl really seems the wrong place to me for implementing application-specific requirements (such as these "matryoshka doll"-style subject DNs). Kaspar
