ldap filter and cert-subject

classic Classic list List threaded Threaded
4 messages Options
| Threaded
Open this post in threaded view
|

ldap filter and cert-subject

sandmann@uni-greifswald.de
Hello,







Is it possible to extract the uid from „TLS-Client-Cert-Subject
:=  C=DE/../../UID=username“ in mods-enabled/ldap -> filters?


thanks and best regards
David Sandmann

Universitätsrechenzentrum (URZ)
Universität Greifswald
Felix-Hausdorff-Str. 12
17489 Greifswald
Germany

Tel. +49 3834 420 1424
Fax. +49 3834 420 1401

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: ldap filter and cert-subject

Alan DeKok-2

On Aug 25, 2020, at 10:38 AM, Sandmann, David <[hidden email]> wrote:
> Is it possible to extract the uid from „TLS-Client-Cert-Subject
> :=  C=DE/../../UID=username“

  Yes.  You can just use a regular expression.

         if (TLS-Client-Cert-Subject =~ /UID=(.*)/) {
                update control {
                        Stripped-User-Name = "%{1}"
                }
        }

  If you don't want to use Stripped-User-Name, just edit raddb/dictionary, and define a local 'string' attribute there

> in mods-enabled/ldap -> filters?

  Edit the filters to use Stripped-User-Name, or whatever else you defined above.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: ldap filter and cert-subject

sandmann@uni-greifswald.de
Hi Alan,

thanks for your advice Alan.
it works if we use "update request" instead of "update control".


best regards
David Sandmann

Universitätsrechenzentrum (URZ)
Universität Greifswald
Felix-Hausdorff-Str. 12
17489 Greifswald
Germany

Tel. +49 3834 420 1424
Fax. +49 3834 420 1401



Am Dienstag, den 25.08.2020 um 17:09 schrieb Alan DeKok:


On Aug 25, 2020, at 10:38 AM, Sandmann, David  wrote:
> Is it possible to extract the uid from „TLS-Client-Cert-Subject
> :=  C=DE/../../UID=username“

  Yes.  You can just use a regular expression.

if (TLS-Client-Cert-Subject =~ /UID=(.*)/) {
update control {
Stripped-User-Name = "%{1}"
}
}

  If you don't want to use Stripped-User-Name, just edit
raddb/dictionary, and define a local 'string' attribute there

> in mods-enabled/ldap -> filters?

  Edit the filters to use Stripped-User-Name, or whatever else you
defined above.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: ldap filter and cert-subject

Alan DeKok-2
On Aug 27, 2020, at 8:22 AM, Sandmann, David <[hidden email]> wrote:
> thanks for your advice Alan.
> it works if we use "update request" instead of "update control".

  Oops, that's good to hear you go it fixed.

  Alan DeKok/


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html