I found that Apache breaks out client certificate information so this is
handed to the cgi scripts in the environment:
SSL_CLIENT_S_DN_CN=MITCHELL.RALPH.xxxxxxx
I still have the big ugly DN string in the passwd file for FakeBasicAuth to
work, but with this:
REMOTE_USER="$SSL_CLIENT_S_DN_CN"
in /home/xymon/server/etc/cgioptions.cfg, at least the shorter name is used
for the web pages where a test is acked or disabled.
Ralph Mitchell
On Sat, Aug 2, 2014 at 8:12 PM, Richard L. Hamilton <user-af55987f6d56@xymon.invalid>
▸ quoted from Richard L. Hamilton
wrote:
There are those who have asked for a way to transform the REMOTE_USER
variable when it's used for display purposes (like in the enadis.sh CGI
program). This can be perhaps more desirable when client certs are used
with +FakeBasicAuth; the rather long identifying strings then used in the
xymonpasswd (or comparable) file are a bit ugly.
AFAIK, Apache's mod_env will not modify standard CGI environment
variables; so the CGI's would have to do it. If they checked if some
optional RE was in a config file, they could use that to convert
REMOTE_USER into something better suited to display than e.g.
/CN=CAcert WoT User/emailAddress=user-df14c361be72@xymon.invalid
(trivial example of what a free cert from CAcert might show up as); or
there could be a file that just mapped REMOTE_USER values to display names.
Overkill, or worthwhile? :-)