Forum Discussion

Wand_97484's avatar
Wand_97484
Icon for Nimbostratus rankNimbostratus
Sep 13, 2013

APM ClientCert to Kerberos Transition - parsing SubjectAlternateName in Variable assign

Hi,   I'm currently setting up different APM profiles to test Kerberos Protocol Transition. LDAP Auth to Kerberos works RSA SecurID to Kerberos works Client Certificate to Kerberos - does not work...
BIG-IP Access Policy Manager (APM)
security
Wand_97484's avatar
Wand_97484
Icon for Nimbostratus rankNimbostratus
Sep 15, 2013

Dear Kevin,

many thanks for the answer. I had to split the UPN into username and UPN-suffix for RSA/LDAP, because it doesn't match the REALM. I retrieve it by performing a LDAP Query with the full UPN, because we have three AD Tree's with up to 40 Childdomains. The REALM is then retrieved from the DistinguishedName by some string operation in a Variable Assign: build REALM from Distinguishedname ( I think I will add a toupper):

expr { [string map -nocase {,dc= .} [string range [mcget {session.ldap.last.attr.distinguishedName}] [expr [string first ",DC=" [mcget {session.ldap.last.attr.distinguishedName}] 0] +4] end ] ]}

 

 

remove UPN from session.logon.last.username

expr { [string range [mcget {session.logon.last.username}] 0 [expr [string first "@" [mcget {session.logon.last.username}] 0] -1] ] }

 

 

Cheers JP