Bug 1242503

Summary: Add support for Microsoft User Principal Name in SSLUserName
Product: Red Hat Enterprise Linux 7 Reporter: Jan Pazdziora (Red Hat) <jpazdziora>
Component: httpdAssignee: Luboš Uhliarik <luhliari>
Status: CLOSED ERRATA QA Contact: Martin Frodl <mfrodl>
Severity: unspecified Docs Contact: Lenka Špačková <lkuprova>
Priority: unspecified    
Version: 7.1CC: isenfeld, jkaluza, jorton, jpazdziora, lkuprova
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: httpd-2.4.6-38.el7 Doc Type: Enhancement
Doc Text:
Apache HTTP Server now supports UPN Names stored in the `subject alternative name` portion of SSL/TLS client certificates, such as the Microsoft User Principle Name, can now be used from the SSLUserName directive and are now available in *mod_ssl* environment variables. Users can now authenticate with their Common Access Card (CAC) or certificate with a UPN in it, and have their UPN used as authenticated user information, consumed by both the access control in Apache and using the `REMOTE_USER` environment variable or a similar mechanism in applications. As a result, users can now set `SSLUserName SSL_CLIENT_SAN_OTHER_msUPN_0` for authentication using UPN.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2015-11-19 04:38:24 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
backport of latest patch from trunk none

Description Jan Pazdziora (Red Hat) 2015-07-13 12:55:20 UTC 
Description of problem:

Apache HTTP Server will get support for retrieving Microsoft User Principal Name in mod_ssl codebase, per http://mail-archives.apache.org/mod_mbox/httpd-dev/201507.mbox/browser. That makes it possible for the user to authenticate with their CAC or certificate which UPN in it, and have their UPN used as authenticated user information, and consumed by both the access control in Apache, and via REMOTE_USER or similar mechanism in applications.

It'd be good to have at least the part that allows

  SSLUserName SSL_CLIENT_SAN_OTHER_msUPN_0

backported to Apache in RHEL 7.

Version-Release number of selected component (if applicable):

mod_ssl-2.4.6-31.el7.x86_64

How reproducible:

Deterministic.

Steps to Reproduce:
1. Have client certificate with UPN attribute set to user.
2. Configure authentication via client SSL certificate and set

  SSLVerifyClient require
  SSLUserName SSL_CLIENT_SAN_OTHER_msUPN_0

3. Restart httpd, authenticate with that certificate.
4. Check the request in ssl_access_log.

Actual results:

10.11.12.13 - - [13/Jul/2015 ...

and ssl_error_log complaining

Failed to set r->user to 'SSL_CLIENT_SAN_OTHER_msUPN_0'

Expected results:

10.11.12.13 - user [13/Jul/2015 ...

Additional info:
Comment 3 Joe Orton 2015-08-05 08:00:01 UTC 
Thanks for sending this upstream, Jan!

Now upstream as: https://svn.apache.org/r1693792
Comment 4 Jan Kaluža 2015-08-18 12:26:36 UTC 
Created attachment 1064303 [details]
backport of latest patch from trunk
Comment 14 errata-xmlrpc 2015-11-19 04:38:24 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2194.html