[Openvpn-devel] Improve documentation of --username-as-common-name

Message ID 1601232360-14096-1-git-send-email-selva.nair@gmail.com
State Accepted
Headers show
Series
  • [Openvpn-devel] Improve documentation of --username-as-common-name
Related show

Commit Message

Selva Nair Sept. 27, 2020, 6:46 p.m.
From: Selva Nair <selva.nair@gmail.com>

Trac #1079

Signed-off-by: Selva Nair <selva.nair@gmail.com>
---
 doc/man-sections/server-options.rst | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

Comments

David Sommerseth Sept. 28, 2020, 9:36 p.m. | #1
On 27/09/2020 20:46, selva.nair@gmail.com wrote:
> From: Selva Nair <selva.nair@gmail.com>
> 
> Trac #1079
> 
> Signed-off-by: Selva Nair <selva.nair@gmail.com>
> ---
>  doc/man-sections/server-options.rst | 12 +++++++++---
>  1 file changed, 9 insertions(+), 3 deletions(-)
> 
> diff --git a/doc/man-sections/server-options.rst b/doc/man-sections/server-options.rst
> index c0b22a5..4b649b1 100644
> --- a/doc/man-sections/server-options.rst
> +++ b/doc/man-sections/server-options.rst
> @@ -668,9 +668,15 @@ fast hardware. SSL/TLS authentication must be used in this mode.
>    ``--max-routes-per-client``
>  
>  --username-as-common-name
> -  For ``--auth-user-pass-verify`` authentication, use the authenticated
> -  username as the common name, rather than the common name from the client
> -  cert.
> +  Use the authenticated username as the common-name, rather than the
> +  common-name from the client certificate. Requires that some form of
> +  auth-user-pass verification is in effect. As the replacement happens after
> +  auth-user-pass verification, the verification script or plugin will still

The two occurrences of "auth-user-pass" should be: ``--auth-user-pass`` (with
"double-backwards-single-quotes" in both ends)

> +  receive the common-name from the certificate.
> +
> +  The common_name environment variable passed to scripts and plugins invoked
> +  after authentication (e.g, client-connect script) and file names parsed in
> +  client-config directory will match the username.

I have not verified the behavior described, but I trust Selva's understanding
and testing.  The extension of this part is valuable and makes both the man
entry and behavior clearer.

The fix I've touched above can be handled at commit-time, unless Gert objects.

Acked-By: David Sommerseth <davids@openvpn.net>
Gert Doering Sept. 29, 2020, 6 a.m. | #2
Thanks, documentation clarification is always welcome.  I have added 
formatting to --auth-user-pass as instructed (and rewrapped the
paragraph slightly to avoid overlong lines in the .rst)

Your patch has been applied to the master and release/2.5 branch.

commit 66ad8727935a371e237a5bada142c9f5f467c3f8 (master)
commit f9f5b4a307ddd59dd9eddcc869d05cc89dffbeb5 (release/2.5)
Author: Selva Nair
Date:   Sun Sep 27 14:46:00 2020 -0400

     Improve documentation of --username-as-common-name

     Signed-off-by: Selva Nair <selva.nair@gmail.com>
     Acked-by: David Sommerseth <davids@openvpn.net>
     Message-Id: <1601232360-14096-1-git-send-email-selva.nair@gmail.com>
     URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21098.html
     Signed-off-by: Gert Doering <gert@greenie.muc.de>


--
kind regards,

Gert Doering

Patch

diff --git a/doc/man-sections/server-options.rst b/doc/man-sections/server-options.rst
index c0b22a5..4b649b1 100644
--- a/doc/man-sections/server-options.rst
+++ b/doc/man-sections/server-options.rst
@@ -668,9 +668,15 @@  fast hardware. SSL/TLS authentication must be used in this mode.
   ``--max-routes-per-client``
 
 --username-as-common-name
-  For ``--auth-user-pass-verify`` authentication, use the authenticated
-  username as the common name, rather than the common name from the client
-  cert.
+  Use the authenticated username as the common-name, rather than the
+  common-name from the client certificate. Requires that some form of
+  auth-user-pass verification is in effect. As the replacement happens after
+  auth-user-pass verification, the verification script or plugin will still
+  receive the common-name from the certificate.
+
+  The common_name environment variable passed to scripts and plugins invoked
+  after authentication (e.g, client-connect script) and file names parsed in
+  client-config directory will match the username.
 
 --verify-client-cert mode
   Specify whether the client is required to supply a valid certificate.