Hi all and welcome me to the list :),i'm using koji since a few week and i needed X509 authentication. Unfortunately current support for x509 was limited to:
a) Use of the CN part only from the subject DN as the usernameAlthough traditionally CN can be the "username" of the user there are cases (like in our PKI) where CN is just "Christos Triantafyllidis" and of course many users can have the same name but different DNs. To avoid this but also keep the backwards compatibility i have introduced a new variable to be exported by both apache config (for git-web) and hub.conf (for the rest of the tools) called EnvVarForUserName which defines which variable to use as Username. For my case i have "EnvVarForUserName = SSL_CLIENT_S_DN" which uses the whole DN as username.
b) Keep asking the user to provide their pass-phrase many times for the the same operation This leads (IMHO) many users to use password-less certificates. Unfortunately this is not acceptable according to our PKI policy so i added a callback to cache the passphrase within each koji execution.
I have created some patches to both this limitations and i have uploaded the to my git repository[1]. Feel free to use/clone them.
Best regards, Christos Triantafyllidis [1] http://git.afroditi.hellasgrid.gr/git/grid.auth.gr/koji.git
smime.p7s
Description: S/MIME cryptographic signature
-- Fedora-buildsys-list mailing list Fedora-buildsys-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-buildsys-list
