(May have mislabled the compenent, not sure if it is in authn_core or authz_core) What I'm trying to do: | <RequireAll> | Require ssl-verify-client | Require valid-user | Require expr ( \ | (%{SSL_CLIENT_S_DN_O} == "Company") && \ | (%{SSL_CLIENT_S_DN_OU} == "Staff") && \ | (%{REMOTE_USER} == %{SSL_CLIENT_S_DN_CN}) \ | ) | </RequireAll> Need valid Client Cert + Login, login needs to be the CN of the certificate. What I expect to happen: this should work What I see: %{REMOTE_USER} is empty! > The expression parser provides a number of variables of the form %{HTTP_HOST}. Note that the value of a variable may depend on the phase of the request processing in which it is evaluated. For example, an expression used in an <If > directive is evaluated before authentication is done. Therefore, %{REMOTE_USER} will not be set in this case. It's noted in the docs it can be empty... however: | Require user hardcodeduser Works fine... the information seems to be available at this stage. So why isn't it exported. For Comepleteness: I also tried "Require user %{SSL_CLIENT_S_DN_CN}" but that didn't work... I wasn't expecting it to work though. I don't think what I'm trying to do is unreasonable, if there is a way to do it, it would be awesome. Hopefully this is really a bug and not a limitation!
The require statements are actually executed twice, once before auth and once after auth. Auth is only triggered if a Require statement says that its result may change after auth and the change of this statement would actually make a difference in the end result. However, Require expr currently lacks the necessary logic for this. You could try (untested): <RequireAll> Require ssl-verify-client Require valid-user <RequireAny> Require user workaround_for_PR_52892 Require expr ... </RequireAny> </RequireAll> Then the Require user would trigger auth. Of course, workaround_for_PR_52892 must not exist as a user or you have a security problem.
(In reply to comment #1) > The require statements are actually executed twice, once before auth and once > after auth. Auth is only triggered if a Require statement says that its result > may change after auth and the change of this statement would actually make a > difference in the end result. However, Require expr currently lacks the > necessary logic for this. > Will it support it in the future? > You could try (untested): > > <RequireAll> > Require ssl-verify-client > Require valid-user > <RequireAny> > Require user workaround_for_PR_52892 > Require expr ... > </RequireAny> > </RequireAll> > > Then the Require user would trigger auth. Of course, workaround_for_PR_52892 > must not exist as a user or you have a security problem. I've tested it and it works! cert for user1 with user2 as login --> fail cert for user1 with user1 as login --> success
(In reply to comment #2) > > However, Require expr currently lacks the > > necessary logic for this. > > > Will it support it in the future? yes
fixed in trunk as r1351072
Fixed for 2.4 in r1364266. Released with 2.4.3. Does not apply to 2.2.x.