Forum Discussion
SSL Client Cert Auth to Multiple LDAP Servers
Is there a way to authenticate against different LDAP servers based on attributes that are polled/stored from the certificate presented by the user connecting to the virtual?
In this case their could 3 different CAs for client certificates:
CA 1
CA 2
CA 3
When a user connects to the virtual servers BIGIP would need to examine the issuer of the certificate and based on which CA issued the certificate authenticate to different LDAP servers on the backend. These could be the different servers or just the same server on different ports. Each LDAP server will also have a different directory tree.
2 Replies
- There are different ways doing this, one possible is:
create N auth profiles with different CA, but DON'T assign them to the virtual server ! In stead, write a piece of rule:rule xxx { when CLIENTSSL_CLIENTCERT { set issuer [X509::issuer [SSL::cert 0]] if {$issuer ...} { set myprofilename .... } elseif {$issuer ...} { set myprofilename .... } else { set myprofilename .... } set tmm_auth_ssl_cc_ldap_sid [AUTH::start pam $myprofilename] AUTH::cert_credential $tmm_auth_ssl_cc_ldap_sid [SSL::cert 0] AUTH::authenticate $tmm_auth_ssl_cc_ldap_sid SSL::handshake hold } when AUTH_SUCCESS { if {$tmm_auth_ssl_cc_ldap_sid eq [AUTH::last_event_session_id]} { SSL::handshake resume } } when AUTH_FAILURE { if {$tmm_auth_ssl_cc_ldap_sid eq [AUTH::last_event_session_id]} { reject } } when AUTH_WANTCREDENTIAL { if {$tmm_auth_ssl_cc_ldap_sid eq [AUTH::last_event_session_id]} { reject } } when AUTH_ERROR { if {$tmm_auth_ssl_cc_ldap_sid eq [AUTH::last_event_session_id]} { reject } } } 
William_Them_99Nimbostratus
Thanks - this looks like it will help us quite bit.
Do also know if it's possible to send custom LDAP queries instead of only being able to do the User, Certificate, and Certificate Map allowed in the config profile?
