Juerg_Wiesmann
Jan 05, 2009Nimbostratus
Authenticate only Email Adress out of SSL Cert against LDAP
I want to authenticate only Email Adress out of the subjectstring of a certificate to authenticate against LDAP. This seams to fail. Is there a way to achive that ?
It seams that allways the whole Cert or the CN is sent to LDAP for verification and there is no way to limit the input to a certain part of the cert.
Many thanks for your help
Wiesmann
when CLIENT_ACCEPTED {
set tmm_auth_ssl_cc_ldap_sid 0
set tmm_auth_ssl_cc_ldap_done 0
}
when CLIENTSSL_CLIENTCERT {
set tmm_auth_ssl_cc_ldap_done 0
set cert [SSL::cert 0]
set email [substr [X509::subject $cert] 13 ","]
log local0. "Email: $email"
if {$tmm_auth_ssl_cc_ldap_sid == 0} {
set tmm_auth_ssl_cc_ldap_sid [AUTH::start pam default_ssl_cc_ldap]
if {[info exists tmm_auth_subscription]} {
AUTH::subscribe $tmm_auth_ssl_cc_ldap_sid
}
AUTH::cert_credential $tmm_auth_ssl_cc_ldap_sid [SSL::cert 0]
AUTH::authenticate $tmm_auth_ssl_cc_ldap_sid
SSL::handshake hold
}}
when CLIENTSSL_HANDSHAKE {
set tmm_auth_ssl_cc_ldap_done 1
}
when AUTH_RESULT {
if {[info exists tmm_auth_ssl_cc_ldap_sid] and \
($tmm_auth_ssl_cc_ldap_sid == [AUTH::last_event_session_id])} {
set tmm_auth_status [AUTH::status]
if {$tmm_auth_status == 0} {
set tmm_auth_ssl_cc_ldap_done 1
SSL::handshake resume
} elseif {$tmm_auth_status != -1 || $tmm_auth_ssl_cc_ldap_done == 0} {
reject
}
}
}