I found that Apache breaks out client certificate information so this is handed to the cgi scripts in the environment:
SSL_CLIENT_S_DN_CN=MITCHELL.RALPH.xxxxxxxI still have the big ugly DN string in the passwd file for FakeBasicAuth to work, but with this:
REMOTE_USER="$SSL_CLIENT_S_DN_CN"in /home/xymon/server/etc/cgioptions.cfg, at least the shorter name is used for the web pages where a test is acked or disabled.
Ralph Mitchell
On Sat, Aug 2, 2014 at 8:12 PM, Richard L. Hamilton <rlhamil2 at gmail.com> wrote:
There are those who have asked for a way to transform the REMOTE_USER variable when it's used for display purposes (like in the enadis.sh CGI program). This can be perhaps more desirable when client certs are used with +FakeBasicAuth; the rather long identifying strings then used in the xymonpasswd (or comparable) file are a bit ugly.
AFAIK, Apache's mod_env will not modify standard CGI environment variables; so the CGI's would have to do it. If they checked if some optional RE was in a config file, they could use that to convert REMOTE_USER into something better suited to display than e.g. /CN=CAcert WoT User/emailAddress=johndoe at nobody.com (trivial example of what a free cert from CAcert might show up as); or there could be a file that just mapped REMOTE_USER values to display names.
Overkill, or worthwhile? :-)
Xymon mailing list Xymon at xymon.com http://lists.xymon.com/mailman/listinfo/xymon