Hello,
I've installed mod_auth_radius and am trying to send part of a client
certificate DN as the username.
What I'm doing is:
SSLCACertificateFile /CA.pem
<Location /ssltest>
SSLVerifyClient require
SSLVerifyDepth 99
SSLOptions +FakeBasicAuth
SSLUserName SSL_CLIENT_S_DN_CN
AuthType basic
AuthName "Cert"
AuthBasicProvider radius
# AuthBasicFake "%{SSL_CLIENT_S_DN_CN}"
<RequireAny>
Require valid-user
</RequireAny>
</Location>
I haven't found out how to only send part of the DN to Radius.
"SSLOptions +FakeBasicAuth" transmits entire DN.
Adding "SSLUserName SSL_CLIENT_S_DN_CN" still transmits entire DN.
Adding "AuthBasicFake "%{SSL_CLIENT_S_DN_CN}"" still transmits entire DN.
Without "SSLOptions +FakeBasicAuth" no Radius request is ever made,
indepedently of whether SSLUserName and/or AuthBasicFake is set or not.
How do I send _part of_ the DN to Radius for authentication?
I feel this may have to do with this:
https://bz.apache.org/bugzilla/show_bug.cgi?id=52616
https://bz.apache.org/bugzilla/show_bug.cgi?id=31418
But there haven't been any updates in a long time. What's the current state?
In any case, the server does not seem to behave like the documentation
suggests, see
https://httpd.apache.org/docs/trunk/mod/mod_ssl.html#sslusername
"When the FakeBasicAuth option is enabled, this directive instead
controls the value of the username embedded within the basic
authentication header (see SSLOptions)."
Thanks,
Marki
(Apache 2.4.23)
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
