I was hoping someone can help us with an LDAP query we are stuck on. I'm at a customer which has an LDAP with a (custom) customer object with a (custom) child object holding certificate information. We want to build an LDAP query where we can filter on a certificate CN or DN which we get from the client certificate in the session. The CN and DN are both attributes in the child certificate object. Once filtered we need to return the customer ID, which is an attribute of the customer object), in a variable. But we are having trouble formulating a query which filters on the child attribute while we actually filter the customer parent object.
customer object - customer ID
- customer name
- ... etc
- customer certificate object - certificate DN
- certificate CN
- ... etc
I hope this is something simple, but we have limited knowledge of LDAP queries and so far Google also hasn't been very helpful.
You'll need to perform an LDAP query to target the certificate object and then use the Encode/Decode Data assertion to decode the resulting object into an X.509 Certificate-type variable. That resulting object will human-readable and can be regexed.
The customer certificate object is not an actual certificate. It is simply a custom child object created by the customer which holds the certificate info in a number of aatributes. So it is already readable and accessible. Instead of a certificate object, this could just as well be a house object with a street name and number, zip code, city etc. In that case we would want to filter based on the street name and number and then from the result get the customer ID of the parent object. So far we have only been able to do this using 2 LDAP queries, but I would like to know if it's possible to do this in one query.
Do you have an LDIF that you can share that illustrates the observed structure? Preferably, something portable that is not dependent upon external schemas.
Sorry for the delay in responding, I was not working this week and only now catching up emails
Here is an anonimized version of the ldif:
This file was generated on 2015-12-31 at 13:49:44
by Softerra LDAP Administrator 2012.2 [ http://www.ldapadministrator.com ]
XcustomerXCertificaatDn: CN=mywebservice.acp.XcustomerX.nl,OU=ICT Infra Beheer,O=Customer
XcustomerXIssuer: CN=Customer Name X - Test Server RA,CN=PKI,OU=Middl
eware and Infrastructure,O=Customer Name X,L=BigCity,ST=BigSta
Hope that helps.
I've reviewed through this post. Based on the layout of the directory entries, I'm not able to find a way to build one query that can find the child and then retrieve the parent record.
Director, CA Support
Thanks for letting me know Stephen. Means we'll keep the current approach in place and don't have to keep wondering if we could do it in a more direct way.