Hi, I'm sorry if the first was not clear enough. I'm going to try to be more precise. When using an external software to handle the SSL authentication (mongrel, apache, etc) we have to pass some SSL variables to the puppetmaster. From the puppet documentation: http://projects.puppetlabs.com/projects/puppet/wiki/Using_Passenger
[puppetmasterd] ssl_client_header = SSL_CLIENT_S_DN ssl_client_verify_header = SSL_CLIENT_VERIFY So when puppetmaster explicitly tries to authenticate a client using its Distinguished Name using this configuration. Then as I stated in my previous mail, if you have a DN such as "/CN=mynode.example.com/O=MyOrg/L=Anywhere", you will run into problems. In order to make it work I did the following modification to the regex (puppet/network/http/rack/rest.rb and puppet/network/http/rack/xmlrpc.rb): - if dn = request.env[Puppet[:ssl_client_header]] and dn_matchdata =dn.match(/^.*?CN\s*=\s*(.*)/) + if dn = request.env[Puppet[:ssl_client_header]] and dn_matchdata =dn.match(/^.*?CN\s*=\s*(.*)\/O/) This way, the regex matches the CN and stops at the '/O' pattern which is better in my case. However, I think it would be best if puppetmaster could be configured to use: ssl_client_header = SSL_CLIENT_S_DN_CN Be aware that if you do that with no modification whatsoever, puppetmaster will currently identify your node as "invalid.example.com". Hope this is better explained. Regards, Nicolas B. -- You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-dev?hl=en.
