Forum Discussion

Juerg_Wiesmann's avatar
Juerg_Wiesmann
Icon for Nimbostratus rankNimbostratus
Jan 05, 2009

Authenticate only Email Adress out of SSL Cert against LDAP

I want to authenticate only Email Adress out of the subjectstring of a certificate to authenticate against LDAP. This seams to fail. Is there a way to achive that ? It seams that allways the whol...
application delivery
dev
devops
iRules
Juerg_Wiesmann's avatar
Juerg_Wiesmann
Icon for Nimbostratus rankNimbostratus
Jan 07, 2009
Hi Colin,

I tried to get the email Adress out of the cert, which works pretty fine.

What I do not want is the basic authentication Window to appear, Du to the fact that I want to take

the Email Address out of the cert. 

   
   when RULE_INIT {  
  set username ""  
  set ::aeskey [AES::key 128]  
  }   
  when CLIENT_ACCEPTED {  
      set forceauth 1  
            
      }  
  when CLIENTSSL_HANDSHAKE {  
  HTTP::release  
  }  
  when CLIENTSSL_CLIENTCERT {  
  set tmm_auth_ssl_cc_ldap_done 0  
  set subject_dn [X509::subject [SSL::cert 0]]  
  set cert [SSL::cert 0]  
  set username [substr  $subject_dn 13 ","]  
  log local0. "username: $username"  
  }  
    
  when HTTP_REQUEST {  
          if {not [info exists tmm_auth_http_sids(ldap)]} {  
              set tmm_auth_sid [AUTH::start pam default_ldap]  
              set tmm_auth_http_sids(ldap) $tmm_auth_sid  
              if {[info exists tmm_auth_subscription]} {  
                  AUTH::subscribe $tmm_auth_sid  
  log local0. "info"  
              }  
          } else {  
              set tmm_auth_sid $tmm_auth_http_sids(ldap)  
              }  
  if {$forceauth eq 1} {  
  [HTTP::header insert "Authorization" $username]  
  AUTH::username_credential $tmm_auth_sid [HTTP::username]  
  AUTH::password_credential $tmm_auth_sid ""  
  AUTH::authenticate $tmm_auth_sid  
  HTTP::collect  
      }  
          if {not [info exists tmm_auth_http_collect_count]} {  
              HTTP::collect  
              set tmm_auth_http_successes 0  
              set tmm_auth_http_collect_count 1  
          } else {  
              incr tmm_auth_http_collect_count  
          }  
      }  
  when AUTH_SUCCESS {  
    if {$tmm_auth_sid eq [AUTH::last_event_session_id]} {  
        
       Now the user has authenticated lets give them an encrypted cookie with their authID  
       We'll also add the AUTH::status to a session entry with the authID as the key  
       We can then re-direct the user to the page they originally asked for  
      set authStatus [AUTH::status $tmm_auth_sid]   
      session add uie $tmm_auth_sid $authStatus 1800  
      set encrypted_tmm_auth_sid [b64encode [AES::encrypt $::aeskey $tmm_auth_sid]]  
      set authcookie [format "%s=%s; path=/; " $ckname $encrypted_tmm_auth_sid ]  
      HTTP::respond 302 Location $orig_uri "Set-Cookie" $authcookie  
    }  
  }  
    
  when AUTH_FAILURE {  
    if {$tmm_auth_sid eq [AUTH::last_event_session_id]} {  
             HTTP::respond 200 content "Authentication Failed"   
    }  
  }  
    
  when AUTH_WANTCREDENTIAL {  
    if {$tmm_auth_sid eq [AUTH::last_event_session_id]} {  
    log local0. "username: $username"  
             HTTP::respond 200 content "Authentication Credentials not provided"  
    }  
  }  
    
  when AUTH_ERROR {  
    if {$tmm_auth_sid eq [AUTH::last_event_session_id]} {  
    HTTP::respond 200 content "Authentication Error"  
    }  
  }

The Challenge I am facing is the [HTTP::username] Value is not predictable (therefor can not be created out of the Email Adress by just base64 encode the $username value.

Any help appreciated.

Wiesmann