Forum Discussion
Irule client certificate check against ldap value
Hello,
I have a setup where users need a certificate and a username/password to login. For better security, I want to match the email address in the certificate with the userPrincipalName attribute in Active Directory.
I have successfully extracted the email address from the dn of the certificate into a variable called ssl_email:
when CLIENTSSL_CLIENTCERT { set cert [SSL::cert 0] set ssl_subject_dn [X509::subject [SSL::cert 0]] set ssl_email [findstr $ssl_subject_dn "emailAddress=" 13 ","] log "Client Certificate Email: $ssl_email" }
From the logs, I see that ssl_email value is correctly set.
In the Visual Policy Manager, I use an LDAP Query item to match this value with the userPrincipalName in LDAP. I tried various SearchFilter format there, but it doesn't work (in the logs, the filter match is blank).
It looks like I have to "export" my ssl_email value into some sort of variable. I tried with ACCESS::session data set, but with no success. Furthermore, I'm not sure of the format of the LDAP SearchFilter with such variables.
Thank you