Map ClientCertificate to AD User with different DN

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi all,

I'm stuck with mapping a PKI ClientCertificate from a Smartcard to the corresponding Active Directory entry using the standard modules and functionality. The information of how to identify the user in AD is available in the ClientCertificate, but it seems in a not directly usable way. Somehow IIS (which is really the last resort) does it somehow with it's certificate mapping functionality. Probably by converting the Certificates to the same encoding, but that's just a guess. Here's the scenario.

1. Authentiaction is done by a ClientCertifikate (mod_ssl). The DN of the subject is 
CN=joe meyer PKI 3423RI324

The last token is a unique employeeID. Of course the whole certificate is available in PEM encoding in the variable SSL_CLIENT_CERT
2. As far as I understand the ldad_modules, for authorisation I need to first get the user object from AD (trying with mod_authz_lpad) and then check for group membership. However, in AD there are only two entries which can be found in the ClientCertificate: The certificate itself as attribute userCertificate and the employeeID, which is the last unique part of the CN. The CN in AD is a completely different and unrelated, like JWDI2K.

My first attempt was to use the ClientCertificate as SSLUserName
SSLUserName SSL_CLIENT_CERT
...
AuthLDAPURL ldap://ldap.example.com/o=Example?userCertificate
This didn't work. Actually I can only guess due to encoding differences.I don't know how the certificate in AD is stored. ADSearcher (the Windows tool) says as octet string.

My second idea is to extract the unique employeeID from the ClientCerficate and connect to AD via the attribute employeeID. Now, I must confess it's my first go with Apache and I don't even know if it's conceptionally possible to set a custom global username based on environment variables and expressions. Or if the username is by purpose hidden and protected against such "nasty" hacks.

SSLUserName SSL_CLIENT_S_DN_CN (.SplitAndTakeTheLastToken ... How-To?) How is SSLUserName to an interally used UserName or REMOTE_USER related?
AuthLDAPURL ldap://ldap.example.com/o=Example?employeeID
Anyway, I'm stuck. Is there a way to handle this by directives at all or do I need to use any kind of programming interface to Apache? Unfortunately I'm quite new to Apache. Are there ways apart from writing modules for hooking up little scripts?

Cheers,

Jan
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux