Client certs: no joy from FakeBasicAuth

[Graham Leggett <mi...@sharp.fm>]

Hi all,

Using httpd v2.1 and the config below, I am trying to achieve the faking
of basic authentication from client certificates for the purposes of
protecting a subversion repo. Authn takes place by possessing a valid
client cert that is not revoked.

Using client certs on their own solves the authn problem, but because
httpd has not been told to authenticate, no username or CN is passed to
SVN, and all commits are anonymous.

Adding SSLOption +FakeBasicAuth on it's own makes no difference - SVN
still does not see or log a username.

Adding SSLOption +FakeBasicAuth in conjuntion with mod_authn_anon should
in theory cause httpd to accept any user, that user populated via
FakeBasicAuth. This doesn't work either: A username/password window is
popped up by the browser, which we do not want.

Can anybody confirm whether FakeBasicAuth actually works in httpd v2.1?

# Subversion setup
<Location /repos>
    DAV svn
    SVNParentPath /var/svn
    SSLRequire %{SSL_CLIENT_VERIFY} eq "SUCCESS"
    SSLOptions +FakeBasicAuth +StdEnvVars
    Options Indexes FollowSymLinks
    Order allow,deny
    Allow from all

    # We have already done authn via a client certificate, but httpd
    # doesn't know that and therefore neither does subversion. To get
    # around this, we use the mod_authn_anon module to expect a login,
    # SSLOption +FakeBasicAuth to populate the username from the cert,
    # and "Anonymous *" to let all users in. This keeps httpd happy.
    AuthName "Subversion"
    AuthType Basic
    AuthBasicProvider anon
    Anonymous "*"
    Require valid-user

</Location>

Regards,
Graham
--