Forum Discussion
Carla_Molenda_1
Nimbostratus
NimbostratusLDAP SRCH change
Is there a way to change the LDAP SRCH query? We need to search the LDAP tree based on different (and multiple) criteria other than the entire cert or the subject name (the ones provided in the authentication profile). (i.e. other attributes in the client certificate). The documented AUTH iRule commands don't seem to supply this capability.
4 Replies
- This is beyond iRULE. The current certmap mode in SSL CC LDAP will search serial number, issuer, subject.
William_Them_99So if I read your response correctly, you are saying that it's only possible (currently) to grab the serial number, issuer, and subject from the certificate. But is it possible to send custom queries to the LDAP server once these cert attributes are retrieved, or can the LDAP server only be accessed/searched via the built-in functionality?
Thanks.- At this moment, there is no LDAP related iRULE. SO you can't customize the query. Could you describe your case in more detail ?
- William_Them_99Well, for instance:
Some of the client certificates we will need to deal with have multiple pieces of data concatenated into the subject field (e.g. email address and a unique ID number). Using iRULES, we can grab the subject and parse out the different values, but we then need a way to query the LDAP tree to check for matches of each value. So we'd like to send a query to match the email address, and then one to match the unique ID number, which could be stored in LDAP fields other than the standards.
Also, we will have an LDAP field that indicates whether or not the user's account is enabled or disabled - this will be determined by their presence or non-presence on a Certificate Revocation List, so we would like to be able to query LDAP to see if a certain field is set to Y or N.
