From f9f5b4a307ddd59dd9eddcc869d05cc89dffbeb5 Mon Sep 17 00:00:00 2001 From: Selva Nair Date: Sun, 27 Sep 2020 14:46:00 -0400 Subject: [PATCH] Improve documentation of --username-as-common-name Trac #1079 Signed-off-by: Selva Nair Acked-by: David Sommerseth Message-Id: <1601232360-14096-1-git-send-email-selva.nair@gmail.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21098.html Signed-off-by: Gert Doering (cherry picked from commit 66ad8727935a371e237a5bada142c9f5f467c3f8) --- doc/man-sections/server-options.rst | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/doc/man-sections/server-options.rst b/doc/man-sections/server-options.rst index c0b22a534..5a689452c 100644 --- a/doc/man-sections/server-options.rst +++ b/doc/man-sections/server-options.rst @@ -668,9 +668,15 @@ fast hardware. SSL/TLS authentication must be used in this mode. ``--max-routes-per-client`` --username-as-common-name - For ``--auth-user-pass-verify`` authentication, use the authenticated - username as the common name, rather than the common name from the client - cert. + Use the authenticated username as the common-name, rather than the + common-name from the client certificate. Requires that some form of + ``--auth-user-pass`` verification is in effect. As the replacement happens + after ``--auth-user-pass`` verification, the verification script or + plugin will still receive the common-name from the certificate. + + The common_name environment variable passed to scripts and plugins invoked + after authentication (e.g, client-connect script) and file names parsed in + client-config directory will match the username. --verify-client-cert mode Specify whether the client is required to supply a valid certificate. -- 2.47.2