[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

HOWTO: Subversion Client Cert. with User Id's Parsed from the Certificate

From: Eric White <ericdwhite_at_gmail.com>
Date: 2005-01-02 19:54:37 CET

Background:

I noticed that the fully qualified distinguished name was used as the user
id for commits to the subversion repository. I also noticed that there was
no obvious solution for changing the user id using FakeBasicAuth. However,
after a couple of hours of searching I did find a solution using some perl
scripts.

You need at least the following:
mod_perl 2.0 (mod_perl 1.0 won't work)
Apache2
Perl

Steps:
1. Get your client certificates working with subversion.

Namely don't attempt this until you are sure you can at least get one
successful commit with the distinguished name (DN) as the user id.

2. Add the following perl module to you perl lib. Mine was in
/usr/lib/perl5

Include every thing between >>>>>> Code Start and >>>>>> Code End

>>>>>>Code Start : /usr/lib/perl5/numaxima/Auth.pm
#
# Based on http://www.modpython.org/pipermail/mod_python/2003-October/014244.html
#
# Environment Variables:
# http://www.modssl.org/docs/2.2/ssl_reference.html#ToC22

package numaxima::Auth;

use strict;
use Apache::Const qw(:common);
use Apache::RequestUtil ();
use Apache::RequestRec ();
use Apache::SubRequest ();
use APR::Table ();
use Apache::Log ();

sub authen_handler{
       my $r = shift;

       return OK unless $r->is_initial_req();
       my $subr = $r->lookup_uri($r->unparsed_uri());
       my $env = $subr->subprocess_env;

       my $certu = $env->get($r->dir_config("ClientCertUserVar"));
       my $username = $certu;

       $r->log->info("Client Certificate Username:", $certu);
       $r->user( $username );
       return OK;
}
1;
__END__
>>>>>>Code End : /usr/lib/perl5/numaxima/Auth.pm

3. Change your Apache2 SSL Configuration File (e.g. ssl.conf, etc)

You can use any SSL Variable to set the user id. I have choosen
SSL_CLIENT_S_DN_EMAIL, but SSL_CLIENT_S_DN_CN is probably also useful.

Note you must have: SSLOptions +StdEnvVars
Note: the user id will be logged at the 'info' log level in your
apache logs.

Snip...
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel info

SSLVerifyClient optional

PerlModule numaxima::Auth
<Location /xxx/svn>
       SSLVerifyClient require
       SSLVerifyDepth 1
       SSLRequireSSL
       SSLOptions +StdEnvVars
       PerlAuthenHandler numaxima::Auth::authen_handler
       PerlSetVar ClientCertUserVar "SSL_CLIENT_S_DN_EMAIL"
       AuthType Basic
       AuthName "SSL Client Certificate"
       Require valid-user

       DAV svn
       SVNParentPath /xxx/svn-install/repositories
       AuthzSVNAccessFile /xxx/svn-install/config/svn-auth-repo
</Location>
Snip...

4. Test that you can still get to your repository through the browser
5. Test a checkout
6. Test a commit
7. Review your commit with $svn log <the file you commited>

Regards,
Eric

ps. Sorry if this ends up posted twice. My first attempt seems to have failed.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Sun Jan 2 19:58:31 2005

This is an archived mail posted to the Subversion Users mailing list.