Forum Discussion
Juerg_Wiesmann
Jan 07, 2009Nimbostratus
Hi Colin,
I tried to get the email Adress out of the cert, which works pretty fine.
What I do not want is the basic authentication Window to appear, Du to the fact that I want to take
the Email Address out of the cert.
when RULE_INIT {
set username ""
set ::aeskey [AES::key 128]
}
when CLIENT_ACCEPTED {
set forceauth 1
}
when CLIENTSSL_HANDSHAKE {
HTTP::release
}
when CLIENTSSL_CLIENTCERT {
set tmm_auth_ssl_cc_ldap_done 0
set subject_dn [X509::subject [SSL::cert 0]]
set cert [SSL::cert 0]
set username [substr $subject_dn 13 ","]
log local0. "username: $username"
}
when HTTP_REQUEST {
if {not [info exists tmm_auth_http_sids(ldap)]} {
set tmm_auth_sid [AUTH::start pam default_ldap]
set tmm_auth_http_sids(ldap) $tmm_auth_sid
if {[info exists tmm_auth_subscription]} {
AUTH::subscribe $tmm_auth_sid
log local0. "info"
}
} else {
set tmm_auth_sid $tmm_auth_http_sids(ldap)
}
if {$forceauth eq 1} {
[HTTP::header insert "Authorization" $username]
AUTH::username_credential $tmm_auth_sid [HTTP::username]
AUTH::password_credential $tmm_auth_sid ""
AUTH::authenticate $tmm_auth_sid
HTTP::collect
}
if {not [info exists tmm_auth_http_collect_count]} {
HTTP::collect
set tmm_auth_http_successes 0
set tmm_auth_http_collect_count 1
} else {
incr tmm_auth_http_collect_count
}
}
when AUTH_SUCCESS {
if {$tmm_auth_sid eq [AUTH::last_event_session_id]} {
Now the user has authenticated lets give them an encrypted cookie with their authID
We'll also add the AUTH::status to a session entry with the authID as the key
We can then re-direct the user to the page they originally asked for
set authStatus [AUTH::status $tmm_auth_sid]
session add uie $tmm_auth_sid $authStatus 1800
set encrypted_tmm_auth_sid [b64encode [AES::encrypt $::aeskey $tmm_auth_sid]]
set authcookie [format "%s=%s; path=/; " $ckname $encrypted_tmm_auth_sid ]
HTTP::respond 302 Location $orig_uri "Set-Cookie" $authcookie
}
}
when AUTH_FAILURE {
if {$tmm_auth_sid eq [AUTH::last_event_session_id]} {
HTTP::respond 200 content "Authentication Failed"
}
}
when AUTH_WANTCREDENTIAL {
if {$tmm_auth_sid eq [AUTH::last_event_session_id]} {
log local0. "username: $username"
HTTP::respond 200 content "Authentication Credentials not provided"
}
}
when AUTH_ERROR {
if {$tmm_auth_sid eq [AUTH::last_event_session_id]} {
HTTP::respond 200 content "Authentication Error"
}
}
The Challenge I am facing is the [HTTP::username] Value is not predictable (therefor can not be created out of the Email Adress by just base64 encode the $username value.
Any help appreciated.
Wiesmann