NimbostratusAPM: irule needed to extract Username from Client Cert to use it for AD group query
Hi community, i've recently took over the task to implement Big-IPs in projects and I'm quite comfortable with LTM Tasks, but now I have to solve an APM Problem.
Currently the customers mobile devices e.g. tablets are logging in via Edge-Client and after a Client Cert Check, they have to reenter their AD credentials for an AD Auth Check, which also are used for the AD Query to assign ressources based on AD groups.
Basicly they want to have the the AD Credential popup removed (yeah, also think it is not very sensibel). My idea to get the group mapping done was to use an iRule to extract the username from the Client Cert and put this into the AD Query.
However, since my skill in APM is very limited I don't know of any built-in method, which could handle this and hope someone can direct me in the right direction or providing an iRule which might get the job done.
Thanks in advance and hope being able to give solutions back anytime soon. :)
David
David Check out this link:
https://devcentral.f5.com/questions/apm-clientcert-to-kerberos-transition-parsing-subjectalternatename-in-variable-assignAlso: check out this link on support.f5.com, it describes how the clientssl profile should be configured to require the client to submit its certificate:
http://support.f5.com/kb/en-us/solutions/public/14000/800/sol14819.html?sr=39485541In a nutshell,
1) the LTM profile obtains the certificate from client,
2) LTM iRule parses the cert fields and saves the username in a variable that the APM can access. 3) APM policy sends it to AD and performs the query.HTH
