Forum Discussion

Juerg_Wiesmann's avatar
Juerg_Wiesmann
Icon for Nimbostratus rankNimbostratus
Jan 05, 2009

Authenticate only Email Adress out of SSL Cert against LDAP

I want to authenticate only Email Adress out of the subjectstring of a certificate to authenticate against LDAP. This seams to fail. Is there a way to achive that ?

It seams that allways the whole Cert or the CN is sent to LDAP for verification and there is no way to limit the input to a certain part of the cert.

Many thanks for your help

Wiesmann 

when CLIENT_ACCEPTED {  
          set tmm_auth_ssl_cc_ldap_sid 0  
          set tmm_auth_ssl_cc_ldap_done 0  
      }  
  when CLIENTSSL_CLIENTCERT {  
    set tmm_auth_ssl_cc_ldap_done 0  
    set cert [SSL::cert 0]  
    set email [substr [X509::subject $cert] 13 ","]    
    log local0. "Email: $email"    
  if {$tmm_auth_ssl_cc_ldap_sid == 0} {  
          set tmm_auth_ssl_cc_ldap_sid [AUTH::start pam default_ssl_cc_ldap]  
              if {[info exists tmm_auth_subscription]} {  
                  AUTH::subscribe $tmm_auth_ssl_cc_ldap_sid  
                 }  
          AUTH::cert_credential $tmm_auth_ssl_cc_ldap_sid [SSL::cert 0]  
          AUTH::authenticate $tmm_auth_ssl_cc_ldap_sid  
          SSL::handshake hold  
  }}  
      when CLIENTSSL_HANDSHAKE {  
          set tmm_auth_ssl_cc_ldap_done 1  
      }  
      when AUTH_RESULT {  
          if {[info exists tmm_auth_ssl_cc_ldap_sid] and \  
              ($tmm_auth_ssl_cc_ldap_sid == [AUTH::last_event_session_id])} {  
              set tmm_auth_status [AUTH::status]  
              if {$tmm_auth_status == 0} {  
                  set tmm_auth_ssl_cc_ldap_done 1  
                  SSL::handshake resume  
              } elseif {$tmm_auth_status != -1 || $tmm_auth_ssl_cc_ldap_done == 0} {  
                  reject  
              }  
          }  
      }

application delivery
dev
devops
iRules

1 Reply

Sort By
  • Juerg_Wiesmann's avatar
    Juerg_Wiesmann
    Icon for Nimbostratus rankNimbostratus
    Jan 07, 2009
    Hi Colin,

    I tried to get the email Adress out of the cert, which works pretty fine.

    What I do not want is the basic authentication Window to appear, Du to the fact that I want to take

    the Email Address out of the cert. 

       
   when RULE_INIT {  
  set username ""  
  set ::aeskey [AES::key 128]  
  }   
  when CLIENT_ACCEPTED {  
      set forceauth 1  
            
      }  
  when CLIENTSSL_HANDSHAKE {  
  HTTP::release  
  }  
  when CLIENTSSL_CLIENTCERT {  
  set tmm_auth_ssl_cc_ldap_done 0  
  set subject_dn [X509::subject [SSL::cert 0]]  
  set cert [SSL::cert 0]  
  set username [substr  $subject_dn 13 ","]  
  log local0. "username: $username"  
  }  
    
  when HTTP_REQUEST {  
          if {not [info exists tmm_auth_http_sids(ldap)]} {  
              set tmm_auth_sid [AUTH::start pam default_ldap]  
              set tmm_auth_http_sids(ldap) $tmm_auth_sid  
              if {[info exists tmm_auth_subscription]} {  
                  AUTH::subscribe $tmm_auth_sid  
  log local0. "info"  
              }  
          } else {  
              set tmm_auth_sid $tmm_auth_http_sids(ldap)  
              }  
  if {$forceauth eq 1} {  
  [HTTP::header insert "Authorization" $username]  
  AUTH::username_credential $tmm_auth_sid [HTTP::username]  
  AUTH::password_credential $tmm_auth_sid ""  
  AUTH::authenticate $tmm_auth_sid  
  HTTP::collect  
      }  
          if {not [info exists tmm_auth_http_collect_count]} {  
              HTTP::collect  
              set tmm_auth_http_successes 0  
              set tmm_auth_http_collect_count 1  
          } else {  
              incr tmm_auth_http_collect_count  
          }  
      }  
  when AUTH_SUCCESS {  
    if {$tmm_auth_sid eq [AUTH::last_event_session_id]} {  
        
       Now the user has authenticated lets give them an encrypted cookie with their authID  
       We'll also add the AUTH::status to a session entry with the authID as the key  
       We can then re-direct the user to the page they originally asked for  
      set authStatus [AUTH::status $tmm_auth_sid]   
      session add uie $tmm_auth_sid $authStatus 1800  
      set encrypted_tmm_auth_sid [b64encode [AES::encrypt $::aeskey $tmm_auth_sid]]  
      set authcookie [format "%s=%s; path=/; " $ckname $encrypted_tmm_auth_sid ]  
      HTTP::respond 302 Location $orig_uri "Set-Cookie" $authcookie  
    }  
  }  
    
  when AUTH_FAILURE {  
    if {$tmm_auth_sid eq [AUTH::last_event_session_id]} {  
             HTTP::respond 200 content "Authentication Failed"   
    }  
  }  
    
  when AUTH_WANTCREDENTIAL {  
    if {$tmm_auth_sid eq [AUTH::last_event_session_id]} {  
    log local0. "username: $username"  
             HTTP::respond 200 content "Authentication Credentials not provided"  
    }  
  }  
    
  when AUTH_ERROR {  
    if {$tmm_auth_sid eq [AUTH::last_event_session_id]} {  
    HTTP::respond 200 content "Authentication Error"  
    }  
  }

    The Challenge I am facing is the [HTTP::username] Value is not predictable (therefor can not be created out of the Email Adress by just base64 encode the $username value.

    Any help appreciated.

    Wiesmann