Re: Logging SSL-authenticated users

Sander Striker wrote:

> Grmbl. Indeed, mod_ssl sets the Authorization header internally,
> so you need to 'Require valid-user' aswell, otherwise r->user won't
> get set.

Please see my response to Ben. If I do that, I also need AuthType Basic.
If I do that, I also need an AuthUserFile. If I do that, I get a
commit failure, as the MERGE request fails (even though earlier requests
in the same commit operation succeed). Apache logs my DN in these
earlier requests, so atleast that part seems to work.

However, even if it would work, it would be unsatisfying. I only want
the CN to show up in the SVN log. The full DN might be useful in a
global PKI, but is too verbose to identify users.

> mod_authn_ssl anyone? ;)

It may be the case that this can be fixed with a new module, or
with a new feature in the SSL module, e.g.

SSLUserName %{SSL_CLIENT_S_DN_CN}

However, I believe it can *also* be fixed inside mod_dav_svn, by
hard-coding a find-the-user strategy:
1. If req->user is non-null and non-empty, use that
2. If not, see if there is a SSL subject CN; if so, use that.
3. If not, see if there is a SSL subject Email; if so, use that.
4. If not, see if there is a SSL subject uid; if so, use that.
5. If not, log an anonymous access.

That strategy would satisfy my needs. If users would request
different strategies, you could still offer

SVNUserName %{SSL_CLIENT_S_DN_CN}

or, even more powerful

SVNUserName %{REMOTE_USER} or %{SSL_CLIENT_S_DN_CN} \
    or %{SSL_CLIENT_S_DN_Email}

Regards,
Martin

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Thu May 15 10:31:52 2003