Resolution: As documented by Apache:
- The variable name SSL_CLIENT_S_DN carries the complete DN of the client certificate
- The variable name SSL_CLIENT_S_DN_x509 can carry a component of client's subject DN.
Here is the excerpt on the possible values for x509:
---------------------
x509 specifies a component of an X.509 DN; one of C,ST,L,O,OU,CN,T,I,G,S,D,UID,Email.
---------------------
Here are the directives in Apache:
>to send the complete DN:
RequestHeader add CAIssuer "%{SSL_CLIENT_I_DN}s"
RequestHeader add SerialNumber "%{SSL_CLIENT_S_DN}s"
>to send the CN component only:
RequestHeader add CAIssuer "%{SSL_CLIENT_I_DN}s"
RequestHeader add SerialNumber "%{SSL_CLIENT_S_DN_CN}s"
Here are the corresponding sample entries in PartnerData.cfg in 2.x version:
partner_FULL_JOHN|FULL_JOHN|||||CN=John,OU=VIP,O=ABC Book Club,L=Palo Alto,ST=California,C=US|CN=CA,OU=Security,O=TIBCOSoftware,L=Palo Alto,ST=California,C=US||false||
partner_CN_JOHN|CN_JOHN|||||John|CN=CA,OU=Security,O=TIBCOSoftware,L=Palo Alto,ST=California,C=US||false||