For EAP-TLS authentication, this optional parameter specifies
a Perl function that is called after the request user name or identity has
been matched with the certificate CN. It passes the certificate and
various other details, and returns a different user name which is used to
do the user database lookup.
The function is passed the following
arguments:
$_[0]: $matchedcn, the
CN that matched the user name or identity with or without the domain
name. $matchedcn is the CN in the certificate
that was matched against either the user name or EAP identity. It is
normally used as the user name to do the user database lookup, but you
can return a new name from this function.$_[1]: $x509_store_ctx,
the EAP SSLEAY store context (you can pass this to
Net::SSLeay::X509_STORE_CTX_get_current_cert)$_[2]: $cert, the
current certificate, result of Net::SSLeay::X509_STORE_CTX-
_get_current_cert($x509_store_ctx)$_[3]: $subject_name,
the certificates subject name, result of
&Net::SSLeay::X509_get_subject_name($cert)$_[4]: $subject, the
certificate subject, result of
&Net::SSLeay::X509_NAME_oneline($subject_name)$_[5]: $p, the current
Radius::Radius request
The function is expected to return a new value for
$matchedcn, which is used to do the user database
lookup. If it returns undef, the certificate verification is deemed to
fail with the OpenSSL error
X509_V_ERR_APPLICATION_VERIFICATION.
