Layer7 API Management

  • Private Community

  • 1.  LDAP Query with filter based on Child attribute

    Posted Dec 22, 2015 03:17 AM

    Hi all,

     

    I was hoping someone can help us with an LDAP query we are stuck on. I'm at a customer which has an LDAP with a (custom) customer object with a (custom) child object holding certificate information. We want to build an LDAP query where we can filter on a certificate CN or DN which we get from the client certificate in the session. The CN and DN are both attributes in the child certificate object. Once filtered we need to return the customer ID, which is an attribute of the customer object), in a variable. But we are having trouble formulating a query which filters on the child attribute while we actually filter the customer parent object.

     

    customer object  - customer ID

                               - customer name

                               - ... etc

                               - customer certificate object    - certificate DN

                                                                               - certificate CN

                                                                               - ... etc

     

    I hope this is something simple, but we have limited knowledge of LDAP queries and so far Google also hasn't been very helpful.

     

    Thanks,

    Michiel



  • 2.  Re: LDAP Query with filter based on Child attribute

    Posted Dec 29, 2015 10:36 AM

    You'll need to perform an LDAP query to target the certificate object and then use the Encode/Decode Data assertion to decode the resulting object into an X.509 Certificate-type variable. That resulting object will human-readable and can be regexed.    



  • 3.  Re: LDAP Query with filter based on Child attribute

    Posted Dec 29, 2015 02:03 PM

    Hi Eric,

     

    The customer certificate object is not an actual certificate. It is simply a custom child object created by the customer which holds the certificate info in a number of aatributes. So it is already readable and accessible. Instead of a certificate object, this could just as well be a house object with a street name and number, zip code, city etc. In that case we would want to filter based on the street name and number and then from the result get the customer ID of the parent object. So far we have only been able to do this using 2 LDAP queries, but I would like to know if it's possible to do this in one query.



  • 4.  Re: LDAP Query with filter based on Child attribute

    Posted Dec 30, 2015 10:50 AM

    Do you have an LDIF that you can share that illustrates the observed structure? Preferably, something portable that is not dependent upon external schemas.



  • 5.  Re: LDAP Query with filter based on Child attribute

    Posted Jan 08, 2016 11:07 AM

    Hi Eric,

     

    Sorry for the delay in responding, I was not working this week and only now catching up emails

     

    Here is an anonimized version of the ldif:

     

    #
This file was generated on 2015-12-31 at 13:49:44
#
by Softerra LDAP Administrator 2012.2 [ http://www.ldapadministrator.com ]

dn: XcustomerXServiceId=MyService,cn=services,ou=serviceunit,o=XcustomerX,c=nl
XcustomerXServiceNaam: Overheid
XcustomerXServiceOmgeving: ACP
XcustomerXServiceTransportAuthenticatie: DualSSL
objectClass: top
objectClass: XcustomerXService
XcustomerXServiceNetwerk: Internet
XcustomerXServiceDoelgroep: Overheid
XcustomerXServiceId: MyService
XcustomerXServiceBerichtAuthenticatie: CertAuth
XcustomerXServiceUrl: mywebservice.acp.XcustomerX.nl
XcustomerXAuthenticatieNiveau: 4
XcustomerXServiceKlant: http://ec.XcustomerX.nl/testACP
XcustomerXServiceKlant: http://ec.XcustomerX.nl/XcustomerX/test
XcustomerXServiceKlant: http://ec.XcustomerX.nl/userx/knooppunt/overheid
XcustomerXServiceKlant: http://ec.XcustomerX.nl/userx/bijzonderbestuursorgaan
XcustomerXServiceKlant: http://ec.XcustomerX.nl/userx/overheid
XcustomerXServiceKlant: http://ec.XcustomerX.nl/userx/bestuursorgaan


dn: XcustomerXCertificaatCn=mywebservice.acp.XcustomerX.nl,XcustomerXServiceId=myservice,cn=service
 s,ou=serviceunit,o=XcustomerX,c=nl
XcustomerXCertificaatDn: CN=mywebservice.acp.XcustomerX.nl,OU=ICT Infra Beheer,O=Customer
  Name X,L=BigCity,ST=BigState,C=NL
objectClass: top
objectClass: XcustomerXIdentityCertificaat
validTo: 20200713103655Z
validFrom: 20150713102655Z
XcustomerXIssuer: CN=Customer Name X - Test Server RA,CN=PKI,OU=Middl
 eware and Infrastructure,O=Customer Name X,L=BigCity,ST=BigSta
 te,C=NL
XcustomerXCertificaatCn: mywebservice.acp.XcustomerX.nl

     

    Hope that helps.



  • 6.  Re: LDAP Query with filter based on Child attribute
    Best Answer

    Broadcom Employee
    Posted Aug 28, 2016 02:40 PM

    Michiel,

     

    I've reviewed through this post. Based on the layout of the directory entries, I'm not able to find a way to build one query that can find the child and then retrieve the parent record.

     

    Sincerely,

     

    Stephen Hughes

    Director, CA Support



  • 7.  Re: LDAP Query with filter based on Child attribute

    Posted Aug 31, 2016 04:19 AM

    Thanks for letting me know Stephen. Means we'll keep the current approach in place and don't have to keep wondering if we could do it in a more direct way.

    Thanks,

    Michiel