You are viewing a plain text version of this content. The canonical link for it is here.
Posted to modperl@perl.apache.org by Tom Schindl <to...@gmx.at> on 2006/03/26 12:07:02 UTC
Re: Controlling subversion access
Hi Dennis,
first of all it would be nice if you could tell us what version of
Apache/mod-perl you are running. Second I'm not sure I userstand what
you are trying to do because I'm not very familiar with SSL and DAV.
If I'm not completely mistaken things like $ENV{SSL_CLIENT_S_DN} are set
on request time and not on startup where the perl-sections in your
httpd.conf are parsed. What you need to implement is a handler which is
working after mod_ssl has done it's job and before mod_dav is doing its
job but therefore you must know in which phase of Apache they are working.
If elaborate a bit more I'm sure we (mod_perl) can help you ;-)
Tom
Dennis Sinelnikov wrote:
> Dear fellow developers,
>
>
>
> Here is what I’m trying to do in my httpd-ssl.conf:
>
>
>
> <Perl>
>
> $client_dn = $ENV{SSL_CLIENT_S_DN};
>
> $client_dn =~ /.*UID=(.*)$/;
>
> $client_uid = $1;
>
>
>
> $Location{"/svnroot"} = {
>
> DAV => 'svn',
>
> SVNPath => '/home/svnroot',
>
> SSLUserName => $client_uid,
>
> AuthzSVNAccessFile => '/usr/local/apache2/conf/svnauthorization'
>
> }
>
> </Perl>
>
>
>
> Obviously, the above code is not quite right (otherwise I would not be
> emailing everyone ;)
>
> Basically, I’m trying to parse the UID off of the Client’s certificate
> DN and use it to set SSLUserName, so I can later use that uid in
> svnauthorization file to control read/write privileges of my subversion
> repository per user basis. The reason why I need to parse UID off of
> the DN is because for some reason SSL_CLIENT_S_DN_UID is not getting
> set, but I see it in my log when I log the full DN (bug?). If anyone
> had to do similar authorization using the client cert, please let me
> know and any suggestions are welcome.
>
> Thanks much!
>
> Dennis
>
RE: Controlling subversion access
Posted by Dennis Sinelnikov <de...@augustschell.com>.
" What you need to implement is a handler which is
working after mod_ssl has done it's job and before mod_dav is doing its
job but therefore you must know in which phase of Apache they are working."
Ahhh, thanks for pointing me in the right direction. (light bulb lit up) ;)
-----Original Message-----
From: Tom Schindl [mailto:tomAtLinux@gmx.at]
Sent: Sunday, March 26, 2006 5:07 AM
To: Dennis Sinelnikov
Cc: modperl@perl.apache.org
Subject: Re: Controlling subversion access
Hi Dennis,
first of all it would be nice if you could tell us what version of
Apache/mod-perl you are running. Second I'm not sure I userstand what
you are trying to do because I'm not very familiar with SSL and DAV.
If I'm not completely mistaken things like $ENV{SSL_CLIENT_S_DN} are set
on request time and not on startup where the perl-sections in your
httpd.conf are parsed. What you need to implement is a handler which is
working after mod_ssl has done it's job and before mod_dav is doing its
job but therefore you must know in which phase of Apache they are working.
If elaborate a bit more I'm sure we (mod_perl) can help you ;-)
Tom
Dennis Sinelnikov wrote:
> Dear fellow developers,
>
>
>
> Here is what I'm trying to do in my httpd-ssl.conf:
>
>
>
> <Perl>
>
> $client_dn = $ENV{SSL_CLIENT_S_DN};
>
> $client_dn =~ /.*UID=(.*)$/;
>
> $client_uid = $1;
>
>
>
> $Location{"/svnroot"} = {
>
> DAV => 'svn',
>
> SVNPath => '/home/svnroot',
>
> SSLUserName => $client_uid,
>
> AuthzSVNAccessFile => '/usr/local/apache2/conf/svnauthorization'
>
> }
>
> </Perl>
>
>
>
> Obviously, the above code is not quite right (otherwise I would not be
> emailing everyone ;)
>
> Basically, I'm trying to parse the UID off of the Client's certificate
> DN and use it to set SSLUserName, so I can later use that uid in
> svnauthorization file to control read/write privileges of my subversion
> repository per user basis. The reason why I need to parse UID off of
> the DN is because for some reason SSL_CLIENT_S_DN_UID is not getting
> set, but I see it in my log when I log the full DN (bug?). If anyone
> had to do similar authorization using the client cert, please let me
> know and any suggestions are welcome.
>
> Thanks much!
>
> Dennis
>
RE: Controlling subversion access
Posted by Dennis Sinelnikov <de...@augustschell.com>.
Doh! I skimmed over that chapter b/c I don't care about username/password
authentication.
Thanks Issac!
-----Original Message-----
From: Issac Goldstand [mailto:margol@beamartyr.net]
Sent: Sunday, March 26, 2006 6:56 PM
To: Dennis Sinelnikov
Cc: modperl@perl.apache.org
Subject: Re: Controlling subversion access
PerlAuthenHandler requires that you have at least one require directive
and an AuthType directive in place, else it won't be called.
See
http://perl.apache.org/docs/2.0/user/handlers/http.html#PerlAuthenHandler
(paragraph beginning with "It's not enough to enable this handler for
the authentication to work.")
Issac
Dennis Sinelnikov wrote:
> Cool, thanks Torsten!
>
> I ended up using PerlAccessHandler.
>
> I ran into problems using PerlAuthenHandler, maybe because I'm using a
> client certificate to authenticate the user (SSLCACertificateFile,
> SSLVerifyClient directives). Thoughts?
>
> -Dennis
>
> Log errors when trying to use PerlAuthenHandler:
> [Sun Mar 26 18:07:41 2006] [error] [client 69.140.49.249] Could not fetch
> resource information. [301, #0]
> [Sun Mar 26 18:07:41 2006] [error] [client 69.140.49.249] (2)No such file
or
> directory: Requests for a collection must have a trailing slash on the
URI.
> [301, #0]
>
>
> -----Original Message-----
> From: Torsten Foertsch [mailto:torsten.foertsch@gmx.net]
> Sent: Sunday, March 26, 2006 3:02 PM
> To: modperl@perl.apache.org
> Subject: Re: Controlling subversion access
>
> On Sunday 26 March 2006 21:37, Dennis Sinelnikov wrote:
>> Right, read the doc over 20 times already :)
>> It could be my environment or the client cert I'm using.
>> I did try different environment configurations (i.e. older openssl
>> versions). I got tired of looking through apache's c code and
>> openssl code, to see if I could pinpoint where the problem is.
>> In any case, it wasn't getting set while I know UID is there
>> because I see it when I log the full DN.
>>
>> So that's why I decided to go mod_perl route, which I like b/c
>> I have more control and flexibility, plus the best part --
>> I'm learning mod_perl in the meantime :)
>
> Well, if you want to do it in Perl you need to write a PerlAuthenHandler
to
> set $r->user. To access mod_ssl variables at this stage you need
> Apache2::ModSSL or Apache::SSLLookup.
>
> Torsten
Re: Controlling subversion access
Posted by Issac Goldstand <ma...@beamartyr.net>.
PerlAuthenHandler requires that you have at least one require directive
and an AuthType directive in place, else it won't be called.
See
http://perl.apache.org/docs/2.0/user/handlers/http.html#PerlAuthenHandler
(paragraph beginning with "It's not enough to enable this handler for
the authentication to work.")
Issac
Dennis Sinelnikov wrote:
> Cool, thanks Torsten!
>
> I ended up using PerlAccessHandler.
>
> I ran into problems using PerlAuthenHandler, maybe because I'm using a
> client certificate to authenticate the user (SSLCACertificateFile,
> SSLVerifyClient directives). Thoughts?
>
> -Dennis
>
> Log errors when trying to use PerlAuthenHandler:
> [Sun Mar 26 18:07:41 2006] [error] [client 69.140.49.249] Could not fetch
> resource information. [301, #0]
> [Sun Mar 26 18:07:41 2006] [error] [client 69.140.49.249] (2)No such file or
> directory: Requests for a collection must have a trailing slash on the URI.
> [301, #0]
>
>
> -----Original Message-----
> From: Torsten Foertsch [mailto:torsten.foertsch@gmx.net]
> Sent: Sunday, March 26, 2006 3:02 PM
> To: modperl@perl.apache.org
> Subject: Re: Controlling subversion access
>
> On Sunday 26 March 2006 21:37, Dennis Sinelnikov wrote:
>> Right, read the doc over 20 times already :)
>> It could be my environment or the client cert I'm using.
>> I did try different environment configurations (i.e. older openssl
>> versions). I got tired of looking through apache's c code and
>> openssl code, to see if I could pinpoint where the problem is.
>> In any case, it wasn't getting set while I know UID is there
>> because I see it when I log the full DN.
>>
>> So that's why I decided to go mod_perl route, which I like b/c
>> I have more control and flexibility, plus the best part --
>> I'm learning mod_perl in the meantime :)
>
> Well, if you want to do it in Perl you need to write a PerlAuthenHandler to
> set $r->user. To access mod_ssl variables at this stage you need
> Apache2::ModSSL or Apache::SSLLookup.
>
> Torsten
RE: Controlling subversion access
Posted by Dennis Sinelnikov <de...@augustschell.com>.
Cool, thanks Torsten!
I ended up using PerlAccessHandler.
I ran into problems using PerlAuthenHandler, maybe because I'm using a
client certificate to authenticate the user (SSLCACertificateFile,
SSLVerifyClient directives). Thoughts?
-Dennis
Log errors when trying to use PerlAuthenHandler:
[Sun Mar 26 18:07:41 2006] [error] [client 69.140.49.249] Could not fetch
resource information. [301, #0]
[Sun Mar 26 18:07:41 2006] [error] [client 69.140.49.249] (2)No such file or
directory: Requests for a collection must have a trailing slash on the URI.
[301, #0]
-----Original Message-----
From: Torsten Foertsch [mailto:torsten.foertsch@gmx.net]
Sent: Sunday, March 26, 2006 3:02 PM
To: modperl@perl.apache.org
Subject: Re: Controlling subversion access
On Sunday 26 March 2006 21:37, Dennis Sinelnikov wrote:
> Right, read the doc over 20 times already :)
> It could be my environment or the client cert I'm using.
> I did try different environment configurations (i.e. older openssl
> versions). I got tired of looking through apache's c code and
> openssl code, to see if I could pinpoint where the problem is.
> In any case, it wasn't getting set while I know UID is there
> because I see it when I log the full DN.
>
> So that's why I decided to go mod_perl route, which I like b/c
> I have more control and flexibility, plus the best part --
> I'm learning mod_perl in the meantime :)
Well, if you want to do it in Perl you need to write a PerlAuthenHandler to
set $r->user. To access mod_ssl variables at this stage you need
Apache2::ModSSL or Apache::SSLLookup.
Torsten
Re: Controlling subversion access
Posted by Torsten Foertsch <to...@gmx.net>.
On Sunday 26 March 2006 21:37, Dennis Sinelnikov wrote:
> Right, read the doc over 20 times already :)
> It could be my environment or the client cert I'm using.
> I did try different environment configurations (i.e. older openssl
> versions). I got tired of looking through apache's c code and
> openssl code, to see if I could pinpoint where the problem is.
> In any case, it wasn't getting set while I know UID is there
> because I see it when I log the full DN.
>
> So that's why I decided to go mod_perl route, which I like b/c
> I have more control and flexibility, plus the best part --
> I'm learning mod_perl in the meantime :)
Well, if you want to do it in Perl you need to write a PerlAuthenHandler to
set $r->user. To access mod_ssl variables at this stage you need
Apache2::ModSSL or Apache::SSLLookup.
Torsten
RE: Controlling subversion access
Posted by Dennis Sinelnikov <de...@augustschell.com>.
Right, read the doc over 20 times already :)
It could be my environment or the client cert I'm using.
I did try different environment configurations (i.e. older openssl
versions). I got tired of looking through apache's c code and
openssl code, to see if I could pinpoint where the problem is.
In any case, it wasn't getting set while I know UID is there
because I see it when I log the full DN.
So that's why I decided to go mod_perl route, which I like b/c
I have more control and flexibility, plus the best part --
I'm learning mod_perl in the meantime :)
-Dennis
-----Original Message-----
From: Torsten Foertsch [mailto:torsten.foertsch@gmx.net]
Sent: Sunday, March 26, 2006 2:26 PM
To: modperl@perl.apache.org
Subject: Re: Controlling subversion access
On Sunday 26 March 2006 17:13, Dennis Sinelnikov wrote:
> Here is the code in my httpd-ssl.conf that works:
> <Location /svn>
> DAV svn
> SVNPath /home/svnroot
> SSLUserName SSL_CLIENT_S_DN_CN
> AuthzSVNAccessFile /usr/local/apache2/conf/svnauthorization
> </Location>
>
> However, I need the UID, and SSL_CLIENT_S_DN_UID is not getting set,
> that's why I decided to go the <Perl> route.
> I need to mimick exactly the samething as above but only parse the
> SSL_CLIENT_S_DN to get the UID and set SSLUserName.
And
SSLUserName SSL_CLIENT_S_DN_UID
does not work? According to the docs that should work.
Torsten
Re: Controlling subversion access
Posted by Torsten Foertsch <to...@gmx.net>.
On Sunday 26 March 2006 17:13, Dennis Sinelnikov wrote:
> Here is the code in my httpd-ssl.conf that works:
> <Location /svn>
> DAV svn
> SVNPath /home/svnroot
> SSLUserName SSL_CLIENT_S_DN_CN
> AuthzSVNAccessFile /usr/local/apache2/conf/svnauthorization
> </Location>
>
> However, I need the UID, and SSL_CLIENT_S_DN_UID is not getting set,
> that's why I decided to go the <Perl> route.
> I need to mimick exactly the samething as above but only parse the
> SSL_CLIENT_S_DN to get the UID and set SSLUserName.
And
SSLUserName SSL_CLIENT_S_DN_UID
does not work? According to the docs that should work.
Torsten
RE: Controlling subversion access
Posted by Dennis Sinelnikov <de...@augustschell.com>.
Hello Tom & mod_perlers,
Here is what I'm running:
Apache 2.2.0
mod_perl 2.0
OpenSSL 0.9.7a
mod_ssl 2.2.0
Ok, more info...
Here is the code in my httpd-ssl.conf that works:
<Location /svn>
DAV svn
SVNPath /home/svnroot
SSLUserName SSL_CLIENT_S_DN_CN
AuthzSVNAccessFile /usr/local/apache2/conf/svnauthorization
</Location>
However, I need the UID, and SSL_CLIENT_S_DN_UID is not getting set,
that's why I decided to go the <Perl> route.
I need to mimick exactly the samething as above but only parse the
SSL_CLIENT_S_DN to get the UID and set SSLUserName.
Thanks all,
Dennis
-----Original Message-----
From: Tom Schindl [mailto:tomAtLinux@gmx.at]
Sent: Sunday, March 26, 2006 5:07 AM
To: Dennis Sinelnikov
Cc: modperl@perl.apache.org
Subject: Re: Controlling subversion access
Hi Dennis,
first of all it would be nice if you could tell us what version of
Apache/mod-perl you are running. Second I'm not sure I userstand what
you are trying to do because I'm not very familiar with SSL and DAV.
If I'm not completely mistaken things like $ENV{SSL_CLIENT_S_DN} are set
on request time and not on startup where the perl-sections in your
httpd.conf are parsed. What you need to implement is a handler which is
working after mod_ssl has done it's job and before mod_dav is doing its
job but therefore you must know in which phase of Apache they are working.
If elaborate a bit more I'm sure we (mod_perl) can help you ;-)
Tom
Dennis Sinelnikov wrote:
> Dear fellow developers,
>
>
>
> Here is what I'm trying to do in my httpd-ssl.conf:
>
>
>
> <Perl>
>
> $client_dn = $ENV{SSL_CLIENT_S_DN};
>
> $client_dn =~ /.*UID=(.*)$/;
>
> $client_uid = $1;
>
>
>
> $Location{"/svnroot"} = {
>
> DAV => 'svn',
>
> SVNPath => '/home/svnroot',
>
> SSLUserName => $client_uid,
>
> AuthzSVNAccessFile => '/usr/local/apache2/conf/svnauthorization'
>
> }
>
> </Perl>
>
>
>
> Obviously, the above code is not quite right (otherwise I would not be
> emailing everyone ;)
>
> Basically, I'm trying to parse the UID off of the Client's certificate
> DN and use it to set SSLUserName, so I can later use that uid in
> svnauthorization file to control read/write privileges of my subversion
> repository per user basis. The reason why I need to parse UID off of
> the DN is because for some reason SSL_CLIENT_S_DN_UID is not getting
> set, but I see it in my log when I log the full DN (bug?). If anyone
> had to do similar authorization using the client cert, please let me
> know and any suggestions are welcome.
>
> Thanks much!
>
> Dennis
>