Bug#310650: marked as done (apache2-mpm-prefork: SSLUserName directive does not change REMOTE_USER)

Wed, 10 Aug 2016 03:09:31 -0700 

Your message dated Wed, 10 Aug 2016 12:05:09 +0200
with message-id <4321080.qHQQjC9kST@k>
and subject line apache2-mpm-prefork: SSLUserName directive does not change 
REMOTE_USER
has caused the Debian Bug report #310650,
regarding apache2-mpm-prefork: SSLUserName directive does not change REMOTE_USER
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
310650: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=310650
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: apache2-mpm-prefork
Version: 2.0.54-4
Severity: important


Up until yesterday I was using the configuration setting:

        <Directory /soma/www/cgi-bin>

          SSLRequireSSL
          SSLVerifyClient require
          SSLVerifyDepth       5
          SSLOptions           +FakeBasicAuth
          SSLUserName   SSL_CLIENT_S_DN_Email
          AuthName             "Soma Authentication"
          AuthType             Basic
          AuthUserFile         /soma/projects/soma/httpd.password
          require              valid-user

        </Directory>

and Apache would rewrite the REMOTE_USER environment variable to be the e-mail 
address included in the client cert. According to the apache docs, this is the 
expected behavior. 

However, after an apt-get upgrade, this behavior no longer works, and instead 
REMOTE_USER is always the full DN of the cert. 

I have tested this with both a cgi perl script and two different test scripts 
under mod_python, so it appears to not be confined to either of those. Our 
entire authentication system was based on first validating certs against the 
httpd.password file using fakebasic auth and then passing on the E-mail address 
to our code as a unique ID for the user.

Has anyone else had this problem? I've also tried with other cert fields (such 
as CN) to no avail. 
Thanks!
                ...Eric

-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.11.3-modulation-acpi
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

--- End Message ---
--- Begin Message --- 
version: 2.4.6-1

This should now work using the AuthBasicFake directive.

--- End Message ---

Reply via email to