Hi, thanks for you reply.
I use OpenVPN in username/password mode with client-cert-not-required and username-as-common-name. So by using the duplicate-cn=unset feature, multi_delete_dup already implements the lookup+drop functionality using the common-name, which is set to username in ssl.c:key_method_2_read after the authentication plugin is run. I basically would want the plugin to be able to override to what set_common_name gets set in ssl.c, so multi_delete_dup could use the plugin generated value. The challenge is to combine this with the deferred authentication stuff, though timing already is fine.
Reimplementing using the plugin owns lookup table would do it, but would also be extra work that could be avoided.
Regards, M. Braun
