[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Escaping characters in authz usernames

From: Stefan Sperling <stsp_at_elego.de>
Date: Mon, 8 Oct 2012 19:03:52 +0200

On Mon, Oct 08, 2012 at 09:29:48AM -0700, Damon Wischik wrote:
> I have some usernames which contain the '=' character, and I can't
> figure out how to refer to them in the authz file.
>
> I'm using Apache2 to serve a subversion repository, and I'm using
> client certificates with FakeBasicAuth. This means that a user has to
> provide a client certificate, and Apache takes the subject line of the
> certificate, and uses that as the username. For example, a username
> might be "/CN=Damon Wischik".
>
> I've tried all the ways of escaping/quoting I can think of (single
> quotes, double quotes, backtick, double the equal sign, \=), but all
> of them lead to an Apache error message like "Failed to load the
> AuthzSVNAccessFile: The character 'D' in rule '/CN' is not allowed in
> authz rules".
>
> I've seen some previous questions here about "How do I escape @ in
> authz?" and "How do I escape [] in authz?" but no answer apart from a
> discussion about patching which was beyond me.
>
> Slightly off-topic -- if I can't have usernames with '=' in authz,
> does anyone know how to tell Apache FakeBasicAuth to use something
> else for its username, or is there a way to get authz to do username
> cleaning/munging before it tests access?
>
> Thanks,
> Damon.

Have you considered setting up aliases as described here?
http://svnbook.red-bean.com/en/1.7/svn.serverconfig.pathbasedauthz.html

  Some authentication systems expect and carry relatively short usernames of
  the sorts we've been describing here—harry, sally, joe, and so on. But other
  authentication systems—such as those which use LDAP stores or SSL client
  certificates—may carry much more complex usernames. For example, Harry's
  username in an LDAP-protected system might be CN=Harold
  Hacker,OU=Engineers,DC=red-bean,DC=com. With usernames like that, the access
  file can become quite bloated with long or obscure usernames that are easy to
  mistype. Fortunately, username aliases allow you to have to type the correct
  complex username only once, in a statement which assigns to it a more easily
  digestable alias.
  
  [aliases]
  harry = CN=Harold Hacker,OU=Engineers,DC=red-bean,DC=com
  sally = CN=Sally Swatterbug,OU=Engineers,DC=red-bean,DC=com
  joe = CN=Gerald I. Joseph,OU=Engineers,DC=red-bean,DC=com
Received on 2012-10-08 19:04:34 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.