Forum Discussion

jfb_329380's avatar
jfb_329380
Icon for Nimbostratus rankNimbostratus
Aug 04, 2017

Irule client certificate check against ldap value

Hello,   I have a setup where users need a certificate and a username/password to login. For better security, I want to match the email address in the certificate with the userPrincipalName attri...
  • jfb_329380's avatar
    Aug 04, 2017

    Thank you Morten for your reply. It helped me a bit.

    I have adapted my iRule like this:

    when ACCESS_POLICY_AGENT_EVENT {

    if { [ACCESS::policy agent_id] eq "userCertEmail" } {

    log "userCertEmail matched"
    set cert [SSL::cert 0]
    set ssl_subject_dn [X509::subject [SSL::cert 0]]
    set ssl_email [findstr $ssl_subject_dn "emailAddress=" 13 ","]
    ACCESS::session data set session.ssl.email "$ssl_email"
    log "Email is $ssl_email"
    

    } }

    In my Access Policy, I have added an LDAP Query rule like this:

    &(userPrincipalName=%{session.ssl.email})(sAMAccountName=%{session.logon.last.username}))