Message ID | 1601232360-14096-1-git-send-email-selva.nair@gmail.com |
---|---|
State | Accepted |
Headers | show |
Series | [Openvpn-devel] Improve documentation of --username-as-common-name | expand |
On 27/09/2020 20:46, selva.nair@gmail.com wrote: > From: Selva Nair <selva.nair@gmail.com> > > Trac #1079 > > Signed-off-by: Selva Nair <selva.nair@gmail.com> > --- > doc/man-sections/server-options.rst | 12 +++++++++--- > 1 file changed, 9 insertions(+), 3 deletions(-) > > diff --git a/doc/man-sections/server-options.rst b/doc/man-sections/server-options.rst > index c0b22a5..4b649b1 100644 > --- a/doc/man-sections/server-options.rst > +++ b/doc/man-sections/server-options.rst > @@ -668,9 +668,15 @@ fast hardware. SSL/TLS authentication must be used in this mode. > ``--max-routes-per-client`` > > --username-as-common-name > - For ``--auth-user-pass-verify`` authentication, use the authenticated > - username as the common name, rather than the common name from the client > - cert. > + Use the authenticated username as the common-name, rather than the > + common-name from the client certificate. Requires that some form of > + auth-user-pass verification is in effect. As the replacement happens after > + auth-user-pass verification, the verification script or plugin will still The two occurrences of "auth-user-pass" should be: ``--auth-user-pass`` (with "double-backwards-single-quotes" in both ends) > + receive the common-name from the certificate. > + > + The common_name environment variable passed to scripts and plugins invoked > + after authentication (e.g, client-connect script) and file names parsed in > + client-config directory will match the username. I have not verified the behavior described, but I trust Selva's understanding and testing. The extension of this part is valuable and makes both the man entry and behavior clearer. The fix I've touched above can be handled at commit-time, unless Gert objects. Acked-By: David Sommerseth <davids@openvpn.net>
Thanks, documentation clarification is always welcome. I have added formatting to --auth-user-pass as instructed (and rewrapped the paragraph slightly to avoid overlong lines in the .rst) Your patch has been applied to the master and release/2.5 branch. commit 66ad8727935a371e237a5bada142c9f5f467c3f8 (master) commit f9f5b4a307ddd59dd9eddcc869d05cc89dffbeb5 (release/2.5) Author: Selva Nair Date: Sun Sep 27 14:46:00 2020 -0400 Improve documentation of --username-as-common-name Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: David Sommerseth <davids@openvpn.net> Message-Id: <1601232360-14096-1-git-send-email-selva.nair@gmail.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21098.html Signed-off-by: Gert Doering <gert@greenie.muc.de> -- kind regards, Gert Doering
diff --git a/doc/man-sections/server-options.rst b/doc/man-sections/server-options.rst index c0b22a5..4b649b1 100644 --- a/doc/man-sections/server-options.rst +++ b/doc/man-sections/server-options.rst @@ -668,9 +668,15 @@ fast hardware. SSL/TLS authentication must be used in this mode. ``--max-routes-per-client`` --username-as-common-name - For ``--auth-user-pass-verify`` authentication, use the authenticated - username as the common name, rather than the common name from the client - cert. + Use the authenticated username as the common-name, rather than the + common-name from the client certificate. Requires that some form of + auth-user-pass verification is in effect. As the replacement happens after + auth-user-pass verification, the verification script or plugin will still + receive the common-name from the certificate. + + The common_name environment variable passed to scripts and plugins invoked + after authentication (e.g, client-connect script) and file names parsed in + client-config directory will match the username. --verify-client-cert mode Specify whether the client is required to supply a valid certificate.