Forum Discussion

Nimbostratus

Aug 04, 2017

Solved

Irule client certificate check against ldap value

Hello, I have a setup where users need a certificate and a username/password to login. For better security, I want to match the email address in the certificate with the userPrincipalName attri...

BIG-IP Access Policy Manager (APM)

security

jfb_329380
Aug 04, 2017
Thank you Morten for your reply. It helped me a bit.

I have adapted my iRule like this:

when ACCESS_POLICY_AGENT_EVENT {

if { [ACCESS::policy agent_id] eq "userCertEmail" } {

log "userCertEmail matched" set cert [SSL::cert 0] set ssl_subject_dn [X509::subject [SSL::cert 0]] set ssl_email [findstr $ssl_subject_dn "emailAddress=" 13 ","] ACCESS::session data set session.ssl.email "$ssl_email" log "Email is $ssl_email"

} }

In my Access Policy, I have added an LDAP Query rule like this:

&(userPrincipalName=%{session.ssl.email})(sAMAccountName=%{session.logon.last.username}))

Morten_Marstran

Nimbostratus

Aug 04, 2017

Hi,

Have a look at the answer provided by Kevin Stewart: https://devcentral.f5.com/questions/kerberos-authentication-with-different-upn-than-kerberos-realm

I have used a modified version of that code to implement exactly what you are after. Unfortunately, I don't have the code available now.

Hope it helps.

Regards, Morten

Forum Discussion

Irule client certificate check against ldap value

Recent Discussions

F5Access | MacOS Sonoma

failed: Cannot contact any KDC for realm

Need help with ICAP integration with F5 LTM

GSLB - Monitoring LTM VIP load balancing via iRule

Can iRule forward request to pool after ASM block without ASM:unblock ?

Related Content

Re: Management Certificate

Fingerprinting TLS Clients with JA4 on F5 BIG-IP

My Security+ Certification Journey

Client Authentication with certificate on one URI only

Client ssl certification bulk installation