I've noticed that support for getting subjectAltName entries Email and
Type landed in 2.4.13, via r1676087.

We've come across another type in subjectAltName, Microsoft Universal
Principal Name (OID which would be useful to
retrieve from the certificate and use for subsequent authorization
and identity operations against Active Directory.

I've filed

        When user authenticates with certificate which has their
                Microsoft Universal Principal Name in subjectAltName,
                that UPN cannot be used with SSLUserName for further
                access controls

and included a patch which extends the original SAN support to

I'd appreciate any comments about suitability of such change, as well
as the implementation. Specifically, I'm not sure if people will
prefer the generic and currently proposed


which gets any value of otherName type, or perhaps going with


and checking the OID just for the UPNs. Based on that decision I plan
to then respin the patch with documentation changes included.

Thank you,

Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat

Reply via email to