Background:
I noticed that the fully qualified distinguished name was used as the user
id for commits to the subversion repository. I also noticed that there was
no obvious solution for changing the user id using FakeBasicAuth. However,
after a couple of hours of searching I did find a solution using some perl
scripts.
You need at least the following:
mod_perl 2.0 (mod_perl 1.0 won't work)
Apache2
Perl
Steps:
1. Get your client certificates working with subversion.
Namely don't attempt this until you are sure you can at least get one
successful commit with the distinguished name (DN) as the user id.
2. Add the following perl module to you perl lib. Mine was in
/usr/lib/perl5
Include every thing between >>>>>> Code Start and >>>>>> Code End
>>>>>>Code Start : /usr/lib/perl5/numaxima/Auth.pm
#
# Based on http://www.modpython.org/pipermail/mod_python/2003-October/014244.html
#
# Environment Variables:
# http://www.modssl.org/docs/2.2/ssl_reference.html#ToC22
package numaxima::Auth;
use strict;
use Apache::Const qw(:common);
use Apache::RequestUtil ();
use Apache::RequestRec ();
use Apache::SubRequest ();
use APR::Table ();
use Apache::Log ();
sub authen_handler{
my $r = shift;
return OK unless $r->is_initial_req();
my $subr = $r->lookup_uri($r->unparsed_uri());
my $env = $subr->subprocess_env;
my $certu = $env->get($r->dir_config("ClientCertUserVar"));
my $username = $certu;
$r->log->info("Client Certificate Username:", $certu);
$r->user( $username );
return OK;
}
1;
__END__
>>>>>>Code End : /usr/lib/perl5/numaxima/Auth.pm
3. Change your Apache2 SSL Configuration File (e.g. ssl.conf, etc)
You can use any SSL Variable to set the user id. I have choosen
SSL_CLIENT_S_DN_EMAIL, but SSL_CLIENT_S_DN_CN is probably also useful.
Note you must have: SSLOptions +StdEnvVars
Note: the user id will be logged at the 'info' log level in your
apache logs.
Snip...
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel info
SSLVerifyClient optional
PerlModule numaxima::Auth
<Location /xxx/svn>
SSLVerifyClient require
SSLVerifyDepth 1
SSLRequireSSL
SSLOptions +StdEnvVars
PerlAuthenHandler numaxima::Auth::authen_handler
PerlSetVar ClientCertUserVar "SSL_CLIENT_S_DN_EMAIL"
AuthType Basic
AuthName "SSL Client Certificate"
Require valid-user
DAV svn
SVNParentPath /xxx/svn-install/repositories
AuthzSVNAccessFile /xxx/svn-install/config/svn-auth-repo
</Location>
Snip...
4. Test that you can still get to your repository through the browser
5. Test a checkout
6. Test a commit
7. Review your commit with $svn log <the file you commited>
Regards,
Eric
ps. Sorry if this ends up posted twice. My first attempt seems to have failed.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Sun Jan 2 19:58:31 2005