Description of problem: When using certificate based authentication with mod_ssl, FakeBasicAuth will ONLY use the subject DN of the certificate. In some cases this results in absolutely horrid usernames. SSLUserName should be honored when using FakeBasicAuth. Related upstream bug is http://issues.apache.org/bugzilla/show_bug.cgi?id=31418 Version-Release number of selected component (if applicable): 2.0.52-22 How reproducible: Always Steps to Reproduce: 1. Enable SSLVerifyClient in /etc/httpd/conf.d/ssl.conf 2. Enable FakeBasicAuth in SSLOptions in /etc/httpd/conf.d/ssl.conf 3. Set SSLUserName to SSL_CLIENT_S_DN_CN 4. Log in with certificate Actual results: Username is still Subject DN Expected results: Username = value set in SSLUserName Additional info: Username should be configurable to various fields in the certificate with FakeBasicAuth to make administration and integration easier.
Created attachment 132237 [details] Patch adapted from upstream
The component this request has been filed against is not planned for inclusion in the next update. The decision is based on weighting the priority and number of requests for a component as well as the impact on the Red Hat Enterprise Linux user-base: other components are considered having higher priority and the number of changes we intend to include in update cycles is limited.
Product Management has reviewed and declined this request. You may appeal this decision by reopening this request.
This is for an ongoing HSPD-12 implementation, and is fairly important. This has been opened via paid support as well. If there's a technical reason with why this isn't being implemented, or it causes issues, but WONTFIX for a paid support sister issue for HSPD-12 compliance with no reason leaves a very bitter taste. This is a good patch that works with no interference to any user other than people using pki authentication, and for them it provides more options. I fail to see the problem here.
BZ is apparently not allowing me to re-open this ticket, even though I'm the original submitter. Consider it reopened please.