Forum Discussion
jfb_329380
Nimbostratus
NimbostratusIrule client certificate check against ldap value
Hello,
I have a setup where users need a certificate and a username/password to login. For better security, I want to match the email address in the certificate with the userPrincipalName attri...
Thank you Morten for your reply. It helped me a bit.
I have adapted my iRule like this:
when ACCESS_POLICY_AGENT_EVENT {
if { [ACCESS::policy agent_id] eq "userCertEmail" } {
log "userCertEmail matched" set cert [SSL::cert 0] set ssl_subject_dn [X509::subject [SSL::cert 0]] set ssl_email [findstr $ssl_subject_dn "emailAddress=" 13 ","] ACCESS::session data set session.ssl.email "$ssl_email" log "Email is $ssl_email"} }
In my Access Policy, I have added an LDAP Query rule like this:
&(userPrincipalName=%{session.ssl.email})(sAMAccountName=%{session.logon.last.username}))
Morten_MarstranNimbostratus
NimbostratusHi,
Have a look at the answer provided by Kevin Stewart: https://devcentral.f5.com/questions/kerberos-authentication-with-different-upn-than-kerberos-realm
I have used a modified version of that code to implement exactly what you are after. Unfortunately, I don't have the code available now.
Hope it helps.
Regards, Morten