Nicolas, Thanks for the additional info. More comments below. On Tue, Sep 28, 2010 at 5:29 AM, Nicolas Bourbaki <[email protected]> wrote: > Hi, > > I'm sorry if the first was not clear enough. I'm going to try to be more > precise. When using an external software to handle the SSL authentication > (mongrel, apache, etc) we have to pass some SSL variables to the > puppetmaster. From the puppet documentation: > http://projects.puppetlabs.com/projects/puppet/wiki/Using_Passenger > > [puppetmasterd] > ssl_client_header = SSL_CLIENT_S_DN > > ssl_client_verify_header = SSL_CLIENT_VERIFY > > So when puppetmaster explicitly tries to authenticate a client using its > Distinguished Name using this configuration. Then as I stated in my previous > mail, if you have a DN such as "/CN=mynode.example.com/O=MyOrg/L=Anywhere", > you will run into problems. In order to make it work I did the following > modification to the regex (puppet/network/http/rack/rest.rb and > puppet/network/http/rack/xmlrpc.rb): > > - if dn = request.env[Puppet[:ssl_client_header]] and dn_matchdata > =dn.match(/^.*?CN\s*=\s*(.*)/) > + if dn = request.env[Puppet[:ssl_client_header]] and dn_matchdata > =dn.match(/^.*?CN\s*=\s*(.*)\/O/)
That's what I guessed you might be referring to. In my email I mistyped: when I said the regex "wouldn't" cause the problem when I meant "would". Do you want to open a ticket (http://projects.puppetlabs.com/projects/puppet/issues/new) and submit a patch? There's a lot of info on contributing here http://projects.puppetlabs.com/projects/puppet/wiki/Development_Development_Lifecycle. If you submit the patch, I'd say the regex should probably be lazy and without the O so that it still captures the CN when there isn't a following /O .match(/^.*?CN\s*=\s*(.*?)(\/|$)/) This would end the CN capture before any other slash or when it hit the end of the string. > This way, the regex matches the CN and stops at the '/O' pattern which is > better in my case. However, I think it would be best if puppetmaster could > be configured to use: > > ssl_client_header = SSL_CLIENT_S_DN_CN > > Be aware that if you do that with no modification whatsoever, puppetmaster > will currently identify your node as "invalid.example.com". Please open a ticket on this, and in the ticket explain why we should use SSL_CLIENT_S_DN_CN instead of SSL_CLIENT_S_DN. I'm honestly not sure so input from someone who knows more about Apache's environment variables would be helpful to us in determining if this is something we can do. For example, would making this change break compatibility with older versions of Apache? http://www.modssl.org/docs/2.8/ssl_compat.html#table2 Matt -- You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-dev?hl=en.
