Forum Discussion
Arthur_7109
Nimbostratus
NimbostratusWhat is in [AUTH::response_data] with auth_ssl_cc_ldap authentication
Hi,
I have auth_ssl_cc_ldap working. It checks for the existence in the LDAP server of the user based on the CN in the client certificate.
Now I need an irule that checks that a field in the client cert DN (*not* the CN) matches a specific LDAP attribute for that user.
I have copied and changed the default irule that was in the auth_ssl_cc_ldap authentication profile. I have just added a line
log "AUTH_RESULT: [AUTH::response_data]"
but it shows up empty (only "AUTH_RESULT:" in the log, no data).
Is there a list of what's in AUTH::response_data? I would have expected at least "ccldap:reply:status" (http://devcentral.f5.com/wiki/default.aspx/iRules/AUTH__response_data.html)?
Thanks,
Arthur
hoolioCirrostratus
Hi Arthur,
I would have expected AUTH::response_data to return the auth status in 'ccldap:reply:status ' for successful auth attempts. If you're not seeing anything on successful attempts, I'd open a case with F5 Support.
I don't expect you'll be able to get any other detail about the user from LDAP though. The cert validation seems to be hardcoded to check one field when supplied with the full cert. And the auth response only contains details about the auth status--not arbitrary ldap query results.
It's a shame that you can't do a more arbitrary auth database query (or even queries) and check for more than a binary response. A lot of customers have mentioned similar requests.
Aaron
Arthur_7109Hi Aaron,
Thanks for the reply. I should have added that this was with release 10.2, and I've just verified that it is also in 10.1.
This is the log in the irule:
log "AUTH_RESULT -- [AUTH::status] -- [AUTH::response_data] --"
and this is what we see when authentication succeeds and fails.
01220002:6: Rule my_auth_irule : AUTH_RESULT -- 0 -- --
01220002:6: Rule my_auth_irule : AUTH_RESULT -- 1 -- --
I will open a case, and also argue for more cert validation options. I've seen a few similar posts here and I have a customer who'd need it as well.
Arthur- hoolioCan you reply back here if you get anything helpful from F5 Support on this?
Thanks, Aaron - Kevin_Stewart
Employee
Arthur,
Two things:
1. Hoolio is absolutely correct that the CN is hardcoded in the auth_ssl_cc_ldap LDAP mechanism.
2. [AUTH::response_data] doesn't return anything in this method. I don't believe it ever has. I could be wrong, but I've expended more than a few brain cells trying to get this to work myself.
Bottom line: you may want to consider using the Access Policy Manager. It has full access to LDAP, so you can query FOR any arbitrary value, and WITH any value.
HTH
-- Kevin - Arthur_7109Hi guys,
Here's an update. I had opened case C711900 "auth_ssl_cc_ldap authentication with another (not CN) certificate subject field" and the engineer has "raised an escalation to get this case linked to the CR to add more weight to the priority, so when PD review the RFE list this feature will stand out as having a higher priority.
If you would like to push for this feature more you can also escalate this via the sales channel. Sales have a process by which they can impact the priority of a CR if the issue has a significant impact to you future deployment plans, or if they would benefit (from a sales perspective) in having this feature included in the next release of BIG-IP software.
Please keep an eye out for CR108187 to see if it is included in the next release of BIG-IP software."
So I'll ask our sales guys to push this CR a bit.
Also I checked the APM (though I'd expect this functionality to be also in the LTM *Advanced* client authentication module), but what we need isn't there either. As I understand the "Session variables reference" in the "Configuration Guide for BIG-IP Access Policy Manager" - we can reference session.ssl.cert.l, session.ssl.cert.ou, etc but still no *custom* field in the subject DN. Or is there a way for me to get the DN and parse it myself in an irule?
Arthur
