Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

Irule client certificate check against ldap value

Hello,

I have a setup where users need a certificate and a username/password to login. For better security, I want to match the email address in the certificate with the userPrincipalName attribute in Active Directory.

I have successfully extracted the email address from the dn of the certificate into a variable called ssl_email:

when CLIENTSSL_CLIENTCERT { set cert [SSL::cert 0] set ssl_subject_dn [X509::subject [SSL::cert 0]] set ssl_email [findstr $ssl_subject_dn "emailAddress=" 13 ","] log "Client Certificate Email: $ssl_email" }

From the logs, I see that ssl_email value is correctly set.

In the Visual Policy Manager, I use an LDAP Query item to match this value with the userPrincipalName in LDAP. I tried various SearchFilter format there, but it doesn't work (in the logs, the filter match is blank).

It looks like I have to "export" my ssl_email value into some sort of variable. I tried with ACCESS::session data set, but with no success. Furthermore, I'm not sure of the format of the LDAP SearchFilter with such variables.

Thank you

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Thank you Morten for your reply. It helped me a bit.

I have adapted my iRule like this:

when ACCESS_POLICY_AGENT_EVENT {

if { [ACCESS::policy agent_id] eq "userCertEmail" } {

log "userCertEmail matched"
set cert [SSL::cert 0]
set ssl_subject_dn [X509::subject [SSL::cert 0]]
set ssl_email [findstr $ssl_subject_dn "emailAddress=" 13 ","]
ACCESS::session data set session.ssl.email "$ssl_email"
log "Email is $ssl_email"

} }

In my Access Policy, I have added an LDAP Query rule like this:

&(userPrincipalName=%{session.ssl.email})(sAMAccountName=%{session.logon.last.username}))

0
Comments on this Answer
Comment made 04-Aug-2017 by Morten Marstrander 250

Glad to be of help :-)

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi,

Have a look at the answer provided by Kevin Stewart: https://devcentral.f5.com/questions/kerberos-authentication-with-different-upn-than-kerberos-realm

I have used a modified version of that code to implement exactly what you are after. Unfortunately, I don't have the code available now.

Hope it helps.

Regards, Morten

0