Issue 1805: Authentication with CLIENT_SSL_CERT_LDAP doesn't work if certificate contains email
Status:  Submitted
Owner: ----
Closed:  Feb 2013
Reported by omark...@gmail.com, Feb 26, 2013
************************************************************
***** NOTE: THIS BUG TRACKER IS FOR GERRIT CODE REVIEW *****
***** DO NOT SUBMIT BUGS FOR CHROME, ANDROID, INTERNAL *****
***** ISSUES WITH YOUR COMPANY'S GERRIT SETUP, ETC.    *****
***** THOSE ISSUE BELONG IN DIFFERENT ISSUE TRACKERS!  *****
************************************************************

Affected Version: 2.5.2

If the Client-SSL-Cert contains an email-address the exception "Couldn't extract username from your certificate" is thrown.

To be more precise if certs[0].getSubjectDN().getName() returns something of the form "EMAILADDRESS=abc@domain.com, CN=My Name, OU=users, OU=ABC,
DC=domain, DC=local" then the regex "CN=([^,]*),.*" does not match. 

The FIX is quite simple: 
In the file com.google.gerrit.httpd.auth.container.HttpsClientSslCertAuthFilter change the pattern from "CN=([^,]*),.*" to ".*CN=([^,]*),.*" on line 45.

Feb 27, 2013
Project Member #2 ziv...@gmail.com
(No comment was entered for this change.)
Status: Submitted
Labels: FixedIn-2.6