Nicolas, I wanted to follow up on this and see if you had a chance to open a ticket with this information. We've also rewritten our development lifecycle documentation to make the process of getting changes into puppet easier. http://projects.puppetlabs.com/projects/puppet/wiki/Development_Lifecycle
On Tue, Sep 28, 2010 at 2:09 PM, Matt Robinson <[email protected]> wrote: > Nicolas, > Thanks for the additional info. More comments below. > > On Tue, Sep 28, 2010 at 5:29 AM, Nicolas Bourbaki > <[email protected]> wrote: >> Hi, >> >> I'm sorry if the first was not clear enough. I'm going to try to be more >> precise. When using an external software to handle the SSL authentication >> (mongrel, apache, etc) we have to pass some SSL variables to the >> puppetmaster. From the puppet documentation: >> http://projects.puppetlabs.com/projects/puppet/wiki/Using_Passenger >> >> [puppetmasterd] >> ssl_client_header = SSL_CLIENT_S_DN >> >> ssl_client_verify_header = SSL_CLIENT_VERIFY >> >> So when puppetmaster explicitly tries to authenticate a client using its >> Distinguished Name using this configuration. Then as I stated in my previous >> mail, if you have a DN such as "/CN=mynode.example.com/O=MyOrg/L=Anywhere", >> you will run into problems. In order to make it work I did the following >> modification to the regex (puppet/network/http/rack/rest.rb and >> puppet/network/http/rack/xmlrpc.rb): >> >> - if dn = request.env[Puppet[:ssl_client_header]] and dn_matchdata >> =dn.match(/^.*?CN\s*=\s*(.*)/) >> + if dn = request.env[Puppet[:ssl_client_header]] and dn_matchdata >> =dn.match(/^.*?CN\s*=\s*(.*)\/O/) > > That's what I guessed you might be referring to. In my email I > mistyped: when I said the regex "wouldn't" cause the problem when I > meant "would". Do you want to open a ticket > (http://projects.puppetlabs.com/projects/puppet/issues/new) and submit > a patch? There's a lot of info on contributing here > http://projects.puppetlabs.com/projects/puppet/wiki/Development_Development_Lifecycle. > If you submit the patch, I'd say the regex should probably be lazy > and without the O so that it still captures the CN when there isn't a > following /O > > .match(/^.*?CN\s*=\s*(.*?)(\/|$)/) > > This would end the CN capture before any other slash or when it hit > the end of the string. > >> This way, the regex matches the CN and stops at the '/O' pattern which is >> better in my case. However, I think it would be best if puppetmaster could >> be configured to use: >> >> ssl_client_header = SSL_CLIENT_S_DN_CN >> >> Be aware that if you do that with no modification whatsoever, puppetmaster >> will currently identify your node as "invalid.example.com". > > Please open a ticket on this, and in the ticket explain why we should > use SSL_CLIENT_S_DN_CN instead of SSL_CLIENT_S_DN. I'm honestly not > sure so input from someone who knows more about Apache's environment > variables would be helpful to us in determining if this is something > we can do. For example, would making this change break compatibility > with older versions of Apache? > http://www.modssl.org/docs/2.8/ssl_compat.html#table2 > > Matt > -- You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-dev?hl=en.
