[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

HOWTO: Subversion Client Cert. with User Id's Parsed from the Certificate

From: Eric White <ericdwhite_at_hotmail.com>
Date: 2005-01-01 23:03:35 CET

Background:

I noticed that the fully qualified distinguished name was used as the user
id for commits to the subversion repository. I also noticed that there was
no obvious solution for changing the user id using FakeBasicAuth. However,
after a couple of hours of searching I did find a solution using some perl
scripts.

You need at least the following:
mod_perl 2.0 (mod_perl 1.0 won't work)
Apache2
Perl

Steps:
1. Get your client certificates working with subversion.

Namely don't attempt this until you are sure you can at least get one
successful commit with the distinguished name (DN) as the user id.

2. Add the following perl module to you perl lib. Mine was in
/usr/lib/perl5

Include every thing between >>>>>> Code Start and >>>>>> Code End

>>>>>>Code Start : /usr/lib/perl5/numaxima/Auth.pm
#
# Based on
http://www.modpython.org/pipermail/mod_python/2003-October/014244.html
#
# Environment Variables:
# http://www.modssl.org/docs/2.2/ssl_reference.html#ToC22

package numaxima::Auth;

use strict;
use Apache::Const qw(:common);
use Apache::RequestUtil ();
use Apache::RequestRec ();
use Apache::SubRequest ();
use APR::Table ();
use Apache::Log ();

sub authen_handler{
        my $r = shift;

        return OK unless $r->is_initial_req();
        my $subr = $r->lookup_uri($r->unparsed_uri());
        my $env = $subr->subprocess_env;

        my $certu = $env->get($r->dir_config("ClientCertUserVar"));
        my $username = $certu;

        $r->log->info("Client Certificate Username:", $certu);
        $r->user( $username );
        return OK;
}
1;
__END__
>>>>>>Code End : /usr/lib/perl5/numaxima/Auth.pm

3. Change your Apache2 SSL Configuration File (e.g. ssl.conf, etc)

You can use any SSL Variable to set the user id. I have choosen
SSL_CLIENT_S_DN_EMAIL, but SSL_CLIENT_S_DN_CN is probably also useful.

Note you must have: SSLOptions +StdEnvVars
Note: the user id will be logged at the 'info' log level in your
apache logs.

Snip...
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel info

SSLVerifyClient optional

PerlModule numaxima::Auth
<Location /xxx/svn>
        SSLVerifyClient require
        SSLVerifyDepth 1
        SSLRequireSSL
        SSLOptions +StdEnvVars
        PerlAuthenHandler numaxima::Auth::authen_handler
        PerlSetVar ClientCertUserVar "SSL_CLIENT_S_DN_EMAIL"
        AuthType Basic
        AuthName "SSL Client Certificate"
        Require valid-user

        DAV svn
        SVNParentPath /xxx/svn-install/repositories
        AuthzSVNAccessFile /xxx/svn-install/config/svn-auth-repo
</Location>
Snip...

4. Test that you can still get to your repository through the browser
5. Test a checkout
6. Test a commit
7. Review your commit with $svn log <the file you commited>

Regards,
ericdwhite at h_o_t_mail dot com

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Sun Jan 2 21:03:40 2005

This is an archived mail posted to the Subversion Users mailing list.