Forum Discussion
William_Them_99
Nimbostratus
NimbostratusMultiple LDAP Authentication Profiles?
We are interested in configuring authentication profiles that use LDAP as a means to verify passed-in attributes from client certificates. It will be very possible, though, that we will need t...
That is possible, but you need to write your own auth rules for these
two auth profiles.
rule profile_rule1 {
when CLIENT_ACCEPTED {
set hold 0
set success 0
set fail 0
set tmm_auth_ssl_cc_ldap_sid1 [AUTH::start pam profile_name1]
}
when CLIENTSSL_CLIENTCERT {
if {$success == 0} {
AUTH::cert_credential $tmm_auth_ssl_cc_ldap_sid1 [SSL::cert 0]
AUTH::authenticate $tmm_auth_ssl_cc_ldap_sid1
if {$hold == 0} {
SSL::handshake hold
incr hold
}
}
}
when AUTH_SUCCESS {
if {$tmm_auth_ssl_cc_ldap_sid1 eq [AUTH::last_event_session_id]} {
incr success
if {$success == 1} {
SSL::handshake resume
}
}
}
when AUTH_FAILURE {
if {$tmm_auth_ssl_cc_ldap_sid1 eq [AUTH::last_event_session_id]} {
incr fail
if {$fail == 2} {
reject
}
}
}
when AUTH_WANTCREDENTIAL {
if {$tmm_auth_ssl_cc_ldap_sid1 eq [AUTH::last_event_session_id]} {
reject
}
}
when AUTH_ERROR {
if {$tmm_auth_ssl_cc_ldap_sid1 eq [AUTH::last_event_session_id]} {
reject
}
}
}
In the second rule, it looks the same, just replace "tmm_auth_ssl_cc_ldap_sid1" and "profile_name1" respectively.
