From a9721e529e7a02eeb40d29cb7820e69cd86d9337 Mon Sep 17 00:00:00 2001
From: David Kupka <dkupka@redhat.com>
Date: Apr 11 2017 13:29:11 +0000
Subject: WebUI: cert login: Configure name of parameter used to pass username


Directive LookupUserByCertificateParamName tells mod_lookup_identity module the
name of GET parameter that is used to provide username in case certificate is
mapped to multiple user accounts.
Without this directive login with certificate that's mapped to multiple users
doesn't work.

https://pagure.io/freeipa/issue/6860

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>

---

diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf
index e1f1a58..75c122e 100644
--- a/install/conf/ipa.conf
+++ b/install/conf/ipa.conf
@@ -117,6 +117,7 @@ Alias /ipa/session/cookie "/usr/share/ipa/gssapi.login"
   NSSVerifyClient require
   NSSUserName SSL_CLIENT_CERT
   LookupUserByCertificate On
+  LookupUserByCertificateParamName "username"
   WSGIProcessGroup ipa
   WSGIApplicationGroup ipa
   GssapiImpersonate On