# tls_auth_server:
#   driver = external
#   public_name = EXTERNAL
#   server_advertise_condition = $tls_in_certificate_verified
#   server_param2 =     ${certextract {subj_altname,mail,>:}{$tls_in_peercert}}
#   server_condition =  ${if forany {${certextract {subj_altname,mail,>:}{$tls_in_peercert}}} {eq {$item}{$auth1}}}
#   server_set_id =     $auth1

plain_server:
  driver = plaintext
  public_name = PLAIN
  server_set_id = $auth2
  server_prompts = :
  server_advertise_condition = $tls_in_certificate_verified
  server_condition = ${if eq {$tls_in_peerdn}{CN=$auth2}}
  # TODO: also support altname, remember DN and subj_altname are distinct.
  # ${if forany {${certextract {subj_altname,mail,>:}{$tls_in_peercert}}}{eq {$item}{$auth2}}}
