Bug#310650: marked as done (apache2-mpm-prefork: SSLUserName directive does not change REMOTE_USER)

To: Stefan Fritsch <sf@sfritsch.de>
Subject: Bug#310650: marked as done (apache2-mpm-prefork: SSLUserName directive does not change REMOTE_USER)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Wed, 10 Aug 2016 10:09:04 +0000
Message-id: <[🔎] handler.310650.D310650.147082351720093.ackdone@bugs.debian.org>
References: <4321080.qHQQjC9kST@k> <200505250016.j4P0GbnV010959@outgoing-legacy.mit.edu>

Your message dated Wed, 10 Aug 2016 12:05:09 +0200
with message-id <4321080.qHQQjC9kST@k>
and subject line apache2-mpm-prefork: SSLUserName directive does not change REMOTE_USER
has caused the Debian Bug report #310650,
regarding apache2-mpm-prefork: SSLUserName directive does not change REMOTE_USER
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
310650: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=310650
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: apache2-mpm-prefork: SSLUserName directive does not change REMOTE_USER
From: Eric Jonas <jonas@MIT.EDU>
Date: Tue, 24 May 2005 20:18:08 -0400
Message-id: <200505250016.j4P0GbnV010959@outgoing-legacy.mit.edu>

Package: apache2-mpm-prefork
Version: 2.0.54-4
Severity: important


Up until yesterday I was using the configuration setting:

        <Directory /soma/www/cgi-bin>

          SSLRequireSSL
          SSLVerifyClient require
          SSLVerifyDepth       5
          SSLOptions           +FakeBasicAuth
          SSLUserName   SSL_CLIENT_S_DN_Email
          AuthName             "Soma Authentication"
          AuthType             Basic
          AuthUserFile         /soma/projects/soma/httpd.password
          require              valid-user

        </Directory>

and Apache would rewrite the REMOTE_USER environment variable to be the e-mail address included in the client cert. According to the apache docs, this is the expected behavior. 

However, after an apt-get upgrade, this behavior no longer works, and instead REMOTE_USER is always the full DN of the cert. 

I have tested this with both a cgi perl script and two different test scripts under mod_python, so it appears to not be confined to either of those. Our entire authentication system was based on first validating certs against the httpd.password file using fakebasic auth and then passing on the E-mail address to our code as a unique ID for the user.

Has anyone else had this problem? I've also tried with other cert fields (such as CN) to no avail. 
Thanks!
		...Eric

-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.11.3-modulation-acpi
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

--- End Message ---

--- Begin Message ---

To: 310650-done@bugs.debian.org

Subject: apache2-mpm-prefork: SSLUserName directive does not change REMOTE_USER

From: Stefan Fritsch <sf@sfritsch.de>

Date: Wed, 10 Aug 2016 12:05:09 +0200

Message-id: <4321080.qHQQjC9kST@k>
version: 2.4.6-1

This should now work using the AuthBasicFake directive.
--- End Message ---

Reply to:

Prev by Date: Bug#760901: marked as done (apache2: On kfreebsd fails to start with default config due to wrong locking mechanism)
Next by Date: Bug#827446: libapache2-mod-php5: postinst script changes MPM back to prefork, even with updates
Previous by thread: Bug#760901: marked as done (apache2: On kfreebsd fails to start with default config due to wrong locking mechanism)
Next by thread: Bug#827446: libapache2-mod-php5: postinst script changes MPM back to prefork, even with updates
Index(es):
- Date
- Thread