Forum Discussion
SSL Client Cert Auth to Multiple LDAP Servers
Is there a way to authenticate against different LDAP servers based on attributes that are polled/stored from the certificate presented by the user connecting to the virtual?
In this ca...
There are different ways doing this, one possible is:
create N auth profiles with different CA, but DON'T assign them to the virtual server ! In stead, write a piece of rule:
rule xxx {
when CLIENTSSL_CLIENTCERT {
set issuer [X509::issuer [SSL::cert 0]]
if {$issuer ...} {
set myprofilename ....
} elseif {$issuer ...} {
set myprofilename ....
} else {
set myprofilename ....
}
set tmm_auth_ssl_cc_ldap_sid [AUTH::start pam $myprofilename]
AUTH::cert_credential $tmm_auth_ssl_cc_ldap_sid [SSL::cert 0]
AUTH::authenticate $tmm_auth_ssl_cc_ldap_sid
SSL::handshake hold
}
when AUTH_SUCCESS {
if {$tmm_auth_ssl_cc_ldap_sid eq [AUTH::last_event_session_id]} {
SSL::handshake resume
}
}
when AUTH_FAILURE {
if {$tmm_auth_ssl_cc_ldap_sid eq [AUTH::last_event_session_id]} {
reject
}
}
when AUTH_WANTCREDENTIAL {
if {$tmm_auth_ssl_cc_ldap_sid eq [AUTH::last_event_session_id]} {
reject
}
}
when AUTH_ERROR {
if {$tmm_auth_ssl_cc_ldap_sid eq [AUTH::last_event_session_id]} {
reject
}
}
}
