Forum Discussion
jfb_329380
Nimbostratus
NimbostratusIrule client certificate check against ldap value
Hello,
I have a setup where users need a certificate and a username/password to login. For better security, I want to match the email address in the certificate with the userPrincipalName attribute in Active Directory.
I have successfully extracted the email address from the dn of the certificate into a variable called ssl_email:
when CLIENTSSL_CLIENTCERT { set cert [SSL::cert 0] set ssl_subject_dn [X509::subject [SSL::cert 0]] set ssl_email [findstr $ssl_subject_dn "emailAddress=" 13 ","] log "Client Certificate Email: $ssl_email" }
From the logs, I see that ssl_email value is correctly set.
In the Visual Policy Manager, I use an LDAP Query item to match this value with the userPrincipalName in LDAP. I tried various SearchFilter format there, but it doesn't work (in the logs, the filter match is blank).
It looks like I have to "export" my ssl_email value into some sort of variable. I tried with ACCESS::session data set, but with no success. Furthermore, I'm not sure of the format of the LDAP SearchFilter with such variables.
Thank you
Thank you Morten for your reply. It helped me a bit.
I have adapted my iRule like this:
when ACCESS_POLICY_AGENT_EVENT {
if { [ACCESS::policy agent_id] eq "userCertEmail" } {
log "userCertEmail matched" set cert [SSL::cert 0] set ssl_subject_dn [X509::subject [SSL::cert 0]] set ssl_email [findstr $ssl_subject_dn "emailAddress=" 13 ","] ACCESS::session data set session.ssl.email "$ssl_email" log "Email is $ssl_email"} }
In my Access Policy, I have added an LDAP Query rule like this:
&(userPrincipalName=%{session.ssl.email})(sAMAccountName=%{session.logon.last.username}))
Morten_MarstranHi,
Have a look at the answer provided by Kevin Stewart: https://devcentral.f5.com/questions/kerberos-authentication-with-different-upn-than-kerberos-realm
I have used a modified version of that code to implement exactly what you are after. Unfortunately, I don't have the code available now.
Hope it helps.
Regards, Morten
- jfb_329380
Thank you Morten for your reply. It helped me a bit.
I have adapted my iRule like this:
when ACCESS_POLICY_AGENT_EVENT {
if { [ACCESS::policy agent_id] eq "userCertEmail" } {
log "userCertEmail matched" set cert [SSL::cert 0] set ssl_subject_dn [X509::subject [SSL::cert 0]] set ssl_email [findstr $ssl_subject_dn "emailAddress=" 13 ","] ACCESS::session data set session.ssl.email "$ssl_email" log "Email is $ssl_email"} }
In my Access Policy, I have added an LDAP Query rule like this:
&(userPrincipalName=%{session.ssl.email})(sAMAccountName=%{session.logon.last.username}))
- Morten_Marstran
Glad to be of help :-)