@dps - I agree comments should be added. I'll put together a detailed description of the configuration changes I had to make and the modification needed in x509 auth to get it to work.
-Austin On Wednesday, March 11, 2015 at 1:56:58 PM UTC-4, Dave S wrote: > > > > On Wednesday, March 11, 2015 at 6:50:28 AM UTC-7, mcm wrote: >> >> If you do not have the email you can use the registration_id and username >> fields. >> Most details are on the book: >> http://web2py.com/books/default/chapter/29/09/access-control >> > > Would it be appropriate to add some of the comments above into the > deployment recipe chapter > (#13 , <URL: > http://www.web2py.com/books/default/chapter/29/13/deployment-recipes#Apache-setup > > > since the X509 section in your link ends with > In particular you need to tell your web server where the certificates are > located on local host and that it needs to verify certificates coming from > the clients. How to do it is web server dependent and therefore omitted > here. > > > /dps > > >> 2015-03-11 14:08 GMT+01:00 Michele Comitini <michele....@gmail.com>: >> >>> You can read any of the fields a certificate contains eventually. >>> see here for some ideas: https://code.google.com/p/simpatica/ >>> >>> It's a working PKI that allows to generate csr and sign them with a >>> valid signin certificate >>> >>> 2015-03-11 13:48 GMT+01:00 LoveWeb2py <atayl...@gmail.com>: >>> >>>> Once authentication happens how can I make them members of groups. I >>>> notice now they don't have an entry in Auth user. Should I have them >>>> register first and once they're reigstered they can use PKI >>>> authentication? >>>> This is uncharted waters for me so I'm trying to figure out the best >>>> approach for it. >>>> >>>> On Wednesday, March 11, 2015 at 8:05:48 AM UTC-4, mcm wrote: >>>>> >>>>> I am glad someone is using x509 Auth, it is a very simple way to >>>>> handle user security, >>>>> >>>>> One important piece of the puzzle (with apache) is: >>>>> >>>>> SSLVerifyClient optional >>>>> >>>>> The optional allows one to accept any user on the website, while >>>>> having some web2py actions require a valid user certificate >>>>> just by adding the standard @auth.requires_login() >>>>> >>>>> ## Client Authentication (Type): >>>>> # Client certificate verification type and depth. Types are >>>>> none, optional, >>>>> # require and optional_no_ca. Depth is a number which >>>>> specifies how deeply >>>>> # to verify the certificate issuer chain before deciding the >>>>> certificate is >>>>> # not valid. >>>>> #SSLVerifyClient require >>>>> #SSLVerifyDepth 10 >>>>> >>>>> >>>>> 2015-03-11 12:27 GMT+01:00 LoveWeb2py <atayl...@gmail.com>: >>>>> >>>>>> Those are exactly the two I don't have so far from the list I saw in >>>>>> another post I have: >>>>>> >>>>>> SSL_CIPHER, SSL_CLIENT_I_DN, SSL_CLIENT_CERT, SSL_CLIENT_VERIFY >>>>>> >>>>>> The following are not being passed (probably a problem with my >>>>>> ssl.conf: >>>>>> SSL_CLIENT_RAW_CERT, SSL_SESSION_ID, SSL_CLIENT_SERIAL >>>>>> >>>>>> Almost there! :) I'll post the fix when I find it >>>>>> >>>>>> >>>>>> On Tuesday, March 10, 2015 at 7:56:45 PM UTC-4, Niphlod wrote: >>>>>>> >>>>>>> debug it, debug it, debug it. >>>>>>> >>>>>>> AFAICS, x509_auth.py requires: >>>>>>> >>>>>>> ssl_client_raw_cert >>>>>>> optional ssl_client_serial >>>>>>> >>>>>>> On Wednesday, March 11, 2015 at 12:04:51 AM UTC+1, LoveWeb2py wrote: >>>>>>>> >>>>>>>> so I did {{=request.env}} and I can see the SSL DATA certificate in >>>>>>>> another app, but for some reason the app that requires the data isn't >>>>>>>> being >>>>>>>> passed. Going to keep troubleshooting that app because I really want >>>>>>>> to use >>>>>>>> the x509 authentication with web2py!! >>>>>>>> >>>>>>>> for some reason the x509 auth isn't working still. Going to keep >>>>>>>> pressing and will post a fix when I find it. Thank you so much for >>>>>>>> your >>>>>>>> help Niphlod. I hope this helps others in the future! >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Tuesday, March 10, 2015 at 6:40:29 PM UTC-4, Niphlod wrote: >>>>>>>>> >>>>>>>>> what if you return somewhere this dict (takes the "SSL*" env >>>>>>>>> variables and prints it) >>>>>>>>> >>>>>>>>> def yourcode(): >>>>>>>>> ......... >>>>>>>>> debug_values = {} >>>>>>>>> for k, v in request.env.iteritems(): >>>>>>>>> if k.lower().startswith('ssl'): >>>>>>>>> debug_values[k] = v >>>>>>>>> ......... >>>>>>>>> return dict(........., debug_values=debug_values) >>>>>>>>> >>>>>>>>> just to see if those gets indeed passed along. >>>>>>>>> >>>>>>>>> -- >>>>>> Resources: >>>>>> - http://web2py.com >>>>>> - http://web2py.com/book (Documentation) >>>>>> - http://github.com/web2py/web2py (Source code) >>>>>> - https://code.google.com/p/web2py/issues/list (Report Issues) >>>>>> --- >>>>>> You received this message because you are subscribed to the Google >>>>>> Groups "web2py-users" group. >>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>> send an email to web2py+un...@googlegroups.com. >>>>>> For more options, visit https://groups.google.com/d/optout. >>>>>> >>>>> >>>>> -- >>>> Resources: >>>> - http://web2py.com >>>> - http://web2py.com/book (Documentation) >>>> - http://github.com/web2py/web2py (Source code) >>>> - https://code.google.com/p/web2py/issues/list (Report Issues) >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "web2py-users" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to web2py+un...@googlegroups.com. >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>> >>> >> -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
