X509 login patches

[Steve Traylen]

On Mon, Dec 14, 2009 at 8:03 PM, Christos Triantafyllidis
<ctria at grid.auth.gr> wrote:
> Hi all and welcome me to the list :),
>
>    i'm using koji since a few week and i needed X509 authentication.
> Unfortunately current support for x509 was limited to:
> a) Use of the CN part only from the subject DN as the username
>  Although traditionally CN can be the "username" of the user there are cases
> (like in our PKI) where CN is just "Christos Triantafyllidis" and of course
> many users can have the same name but different DNs. To avoid this but also
> keep the backwards compatibility i have introduced a new variable to be
> exported by both apache config (for git-web) and hub.conf (for the rest of
> the tools) called EnvVarForUserName which defines which variable to use as
> Username. For my case i have "EnvVarForUserName = SSL_CLIENT_S_DN" which
> uses the whole DN as username.

What did you do about the email address? It normally uses CN at configured.org

I should look at the patch of course.
Steve

>
> b) Keep asking the user to provide their pass-phrase many times for the the
> same operation
>  This leads (IMHO) many users to use password-less certificates.
> Unfortunately this is not acceptable according to our PKI policy so i added
> a callback to cache the passphrase within each koji execution.
>
>  I have created some patches to both this limitations and i have uploaded
> the to my git repository[1]. Feel free to use/clone them.
>
> Best regards,
> Christos Triantafyllidis
>
> [1] http://git.afroditi.hellasgrid.gr/git/grid.auth.gr/koji.git
> --
> Fedora-buildsys-list mailing list
> Fedora-buildsys-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-buildsys-list
>



-- 
Steve Traylen