Forum Discussion
Juerg_Wiesmann
Nimbostratus
NimbostratusAuthenticate only Email Adress out of SSL Cert against LDAP
I want to authenticate only Email Adress out of the subjectstring of a certificate to authenticate against LDAP. This seams to fail. Is there a way to achive that ?
It seams that allways the whole Cert or the CN is sent to LDAP for verification and there is no way to limit the input to a certain part of the cert.
Many thanks for your help
Wiesmann
when CLIENT_ACCEPTED {
set tmm_auth_ssl_cc_ldap_sid 0
set tmm_auth_ssl_cc_ldap_done 0
}
when CLIENTSSL_CLIENTCERT {
set tmm_auth_ssl_cc_ldap_done 0
set cert [SSL::cert 0]
set email [substr [X509::subject $cert] 13 ","]
log local0. "Email: $email"
if {$tmm_auth_ssl_cc_ldap_sid == 0} {
set tmm_auth_ssl_cc_ldap_sid [AUTH::start pam default_ssl_cc_ldap]
if {[info exists tmm_auth_subscription]} {
AUTH::subscribe $tmm_auth_ssl_cc_ldap_sid
}
AUTH::cert_credential $tmm_auth_ssl_cc_ldap_sid [SSL::cert 0]
AUTH::authenticate $tmm_auth_ssl_cc_ldap_sid
SSL::handshake hold
}}
when CLIENTSSL_HANDSHAKE {
set tmm_auth_ssl_cc_ldap_done 1
}
when AUTH_RESULT {
if {[info exists tmm_auth_ssl_cc_ldap_sid] and \
($tmm_auth_ssl_cc_ldap_sid == [AUTH::last_event_session_id])} {
set tmm_auth_status [AUTH::status]
if {$tmm_auth_status == 0} {
set tmm_auth_ssl_cc_ldap_done 1
SSL::handshake resume
} elseif {$tmm_auth_status != -1 || $tmm_auth_ssl_cc_ldap_done == 0} {
reject
}
}
}
Juerg_WiesmannHi Colin,
I tried to get the email Adress out of the cert, which works pretty fine.
What I do not want is the basic authentication Window to appear, Du to the fact that I want to take
the Email Address out of the cert.when RULE_INIT { set username "" set ::aeskey [AES::key 128] } when CLIENT_ACCEPTED { set forceauth 1 } when CLIENTSSL_HANDSHAKE { HTTP::release } when CLIENTSSL_CLIENTCERT { set tmm_auth_ssl_cc_ldap_done 0 set subject_dn [X509::subject [SSL::cert 0]] set cert [SSL::cert 0] set username [substr $subject_dn 13 ","] log local0. "username: $username" } when HTTP_REQUEST { if {not [info exists tmm_auth_http_sids(ldap)]} { set tmm_auth_sid [AUTH::start pam default_ldap] set tmm_auth_http_sids(ldap) $tmm_auth_sid if {[info exists tmm_auth_subscription]} { AUTH::subscribe $tmm_auth_sid log local0. "info" } } else { set tmm_auth_sid $tmm_auth_http_sids(ldap) } if {$forceauth eq 1} { [HTTP::header insert "Authorization" $username] AUTH::username_credential $tmm_auth_sid [HTTP::username] AUTH::password_credential $tmm_auth_sid "" AUTH::authenticate $tmm_auth_sid HTTP::collect } if {not [info exists tmm_auth_http_collect_count]} { HTTP::collect set tmm_auth_http_successes 0 set tmm_auth_http_collect_count 1 } else { incr tmm_auth_http_collect_count } } when AUTH_SUCCESS { if {$tmm_auth_sid eq [AUTH::last_event_session_id]} { Now the user has authenticated lets give them an encrypted cookie with their authID We'll also add the AUTH::status to a session entry with the authID as the key We can then re-direct the user to the page they originally asked for set authStatus [AUTH::status $tmm_auth_sid] session add uie $tmm_auth_sid $authStatus 1800 set encrypted_tmm_auth_sid [b64encode [AES::encrypt $::aeskey $tmm_auth_sid]] set authcookie [format "%s=%s; path=/; " $ckname $encrypted_tmm_auth_sid ] HTTP::respond 302 Location $orig_uri "Set-Cookie" $authcookie } } when AUTH_FAILURE { if {$tmm_auth_sid eq [AUTH::last_event_session_id]} { HTTP::respond 200 content "Authentication Failed" } } when AUTH_WANTCREDENTIAL { if {$tmm_auth_sid eq [AUTH::last_event_session_id]} { log local0. "username: $username" HTTP::respond 200 content "Authentication Credentials not provided" } } when AUTH_ERROR { if {$tmm_auth_sid eq [AUTH::last_event_session_id]} { HTTP::respond 200 content "Authentication Error" } }
The Challenge I am facing is the [HTTP::username] Value is not predictable (therefor can not be created out of the Email Adress by just base64 encode the $username value.
Any help appreciated.
Wiesmann