X509 Authorization: Names are way too Long

To use authz_svn_module, I have the following Location in httpd.conf:

<Location /svn>
  SSLRequireSSL
  SSLOptions +FakeBasicAuth +StrictRequire

  DAV svn
  SVNPath /tmp/twp/repos

  # only authenticated users may access the repository
  Require valid-user
  AuthType Basic
  AuthName "Subversion repository"
  AuthUserFile /pkg/httpd-2.0.48/conf/htpasses

  # our access control policy
  AuthzSVNAccessFile /pkg/httpd-2.0.48/conf/svn-access

  SVNIndexXSLT "/svnindex.xsl"

</Location>
(Elsewhere in the global space, I also have "SSLVerifyClient require"
set).

My htpasses file contains:
/C=US/ST=Texas/L=Austin/O=IBM/OU=Dept xxxx Experimental SVN
service/CN=Travis Pouarz/emailAddress=<emailAddress>:JJ4IWbq/LzMKs

The password is just "password" as is required for "FakeBasicAuth."
The "SSLOptions +FakeBasicAuth" technique should probably be mentioned
in the book. It's a missing link without which certificate
authorization is less useful than basic.

As you can see, the user name becomes the SSL_CLIENT_S_DN name (env var
that mod_ssl pulls from the certificate and sets).

That's a very long name to be using in my AuthzSVNAccessFile, but I can
live with it. I'm worried that that will show up as svn:author and in
other places.
(As my other email entitled "URL does not accept port as valid syntax
for svn client" relates, I'm unable yet to use "svn" to write to the
depository via the https protocol and thus see where it turns up.)

Maybe a mapping technique is in order to go from basic-authorized user
name -> svn repository user name. Or maybe could bypass the
FakeBasicAuth and just recognize SSL_CLIENT_S_DN and map that.

I'm using subversion 0.36.0.

-Travis Pouarz

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Sun Jan 18 07:48:45 2004