Layer7 API Management

Expand all | Collapse all

LDAP Query with filter based on Child attribute

Jump to Best Answer
  • 1.  LDAP Query with filter based on Child attribute

    Posted 12-22-2015 03:17 AM

    Hi all,

     

    I was hoping someone can help us with an LDAP query we are stuck on. I'm at a customer which has an LDAP with a (custom) customer object with a (custom) child object holding certificate information. We want to build an LDAP query where we can filter on a certificate CN or DN which we get from the client certificate in the session. The CN and DN are both attributes in the child certificate object. Once filtered we need to return the customer ID, which is an attribute of the customer object), in a variable. But we are having trouble formulating a query which filters on the child attribute while we actually filter the customer parent object.

     

    customer object  - customer ID

                               - customer name

                               - ... etc

                               - customer certificate object    - certificate DN

                                                                               - certificate CN

                                                                               - ... etc

     

    I hope this is something simple, but we have limited knowledge of LDAP queries and so far Google also hasn't been very helpful.

     

    Thanks,

    Michiel



  • 2.  Re: LDAP Query with filter based on Child attribute

    Posted 12-29-2015 10:36 AM

    You'll need to perform an LDAP query to target the certificate object and then use the Encode/Decode Data assertion to decode the resulting object into an X.509 Certificate-type variable. That resulting object will human-readable and can be regexed.    



  • 3.  Re: LDAP Query with filter based on Child attribute

    Posted 12-29-2015 02:03 PM

    Hi Eric,

     

    The customer certificate object is not an actual certificate. It is simply a custom child object created by the customer which holds the certificate info in a number of aatributes. So it is already readable and accessible. Instead of a certificate object, this could just as well be a house object with a street name and number, zip code, city etc. In that case we would want to filter based on the street name and number and then from the result get the customer ID of the parent object. So far we have only been able to do this using 2 LDAP queries, but I would like to know if it's possible to do this in one query.



  • 4.  Re: LDAP Query with filter based on Child attribute

    Posted 12-30-2015 10:50 AM

    Do you have an LDIF that you can share that illustrates the observed structure? Preferably, something portable that is not dependent upon external schemas.



  • 5.  Re: LDAP Query with filter based on Child attribute

    Posted 01-08-2016 11:07 AM

    Hi Eric,

     

    Sorry for the delay in responding, I was not working this week and only now catching up emails

     

    Here is an anonimized version of the ldif:

     

    #
    This file was generated on 2015-12-31 at 13:49:44
    #
    by Softerra LDAP Administrator 2012.2 [ http://www.ldapadministrator.com ]
    
    dn: XcustomerXServiceId=MyService,cn=services,ou=serviceunit,o=XcustomerX,c=nl
    XcustomerXServiceNaam: Overheid
    XcustomerXServiceOmgeving: ACP
    XcustomerXServiceTransportAuthenticatie: DualSSL
    objectClass: top
    objectClass: XcustomerXService
    XcustomerXServiceNetwerk: Internet
    XcustomerXServiceDoelgroep: Overheid
    XcustomerXServiceId: MyService
    XcustomerXServiceBerichtAuthenticatie: CertAuth
    XcustomerXServiceUrl: mywebservice.acp.XcustomerX.nl
    XcustomerXAuthenticatieNiveau: 4
    XcustomerXServiceKlant: http://ec.XcustomerX.nl/testACP
    XcustomerXServiceKlant: http://ec.XcustomerX.nl/XcustomerX/test
    XcustomerXServiceKlant: http://ec.XcustomerX.nl/userx/knooppunt/overheid
    XcustomerXServiceKlant: http://ec.XcustomerX.nl/userx/bijzonderbestuursorgaan
    XcustomerXServiceKlant: http://ec.XcustomerX.nl/userx/overheid
    XcustomerXServiceKlant: http://ec.XcustomerX.nl/userx/bestuursorgaan
    
    
    dn: XcustomerXCertificaatCn=mywebservice.acp.XcustomerX.nl,XcustomerXServiceId=myservice,cn=service
     s,ou=serviceunit,o=XcustomerX,c=nl
    XcustomerXCertificaatDn: CN=mywebservice.acp.XcustomerX.nl,OU=ICT Infra Beheer,O=Customer
      Name X,L=BigCity,ST=BigState,C=NL
    objectClass: top
    objectClass: XcustomerXIdentityCertificaat
    validTo: 20200713103655Z
    validFrom: 20150713102655Z
    XcustomerXIssuer: CN=Customer Name X - Test Server RA,CN=PKI,OU=Middl
     eware and Infrastructure,O=Customer Name X,L=BigCity,ST=BigSta
     te,C=NL
    XcustomerXCertificaatCn: mywebservice.acp.XcustomerX.nl
    

     

    Hope that helps.



  • 6.  Re: LDAP Query with filter based on Child attribute
    Best Answer

    Posted 08-28-2016 02:40 PM

    Michiel,

     

    I've reviewed through this post. Based on the layout of the directory entries, I'm not able to find a way to build one query that can find the child and then retrieve the parent record.

     

    Sincerely,

     

    Stephen Hughes

    Director, CA Support



  • 7.  Re: LDAP Query with filter based on Child attribute

    Posted 08-31-2016 04:19 AM

    Thanks for letting me know Stephen. Means we'll keep the current approach in place and don't have to keep wondering if we could do it in a more direct way.

    Thanks,

    Michiel