Layer7 API Management

 View Only
  • 1.  ldap query using altSecurityIdentities

    Posted May 08, 2020 09:05 AM
      |   view attached
    We want to look for a registered user in our #activedirectory using certificate info. Because it is #microsoft 

    ​'s standard we use #altSecurityIdentities​​ to search in AD. 

    We now define with a variable the altSecurityIdentities format (see attachment).

    Is there an easier way to get to altSecurityIdentities?

    Thanks for your response..

    Sebastian van Voorn,
    SR. System Engineer


    altSecIdent.xml   1 KB 1 version

  • 2.  RE: ldap query using altSecurityIdentities
    Best Answer

    Posted May 08, 2020 12:32 PM
    Doing it that way kind of locks you into only that format, so wouldn't be extensible to other DN formats. Depending on the 'order' of the DN should be able to just build it straight from the Issuer and Subject DNs. In our case we have to split and reverse it which adds a bit extra (maybe someone knows another way to easily do that?). Can't really share our full policy itself here, but the idea is that:  

    Build Issuer DN
    * Split request.ssl.clientCertificate.issuer  into Issuer on \s*,\s*
    * Set context var revIssuer as string to empty (placeholder)
    * Run assertion for each item of ${Issuer} as ${Issuer.attribute}
    - Set var revIssuer as string to ${Issuer,attribute},${revIssuer}
    * Evaluate Regular Expression ",$" on revIssuer and replace with nothing <-- removes trailing comma

    Build Subject
    * Set var origSubject as string ${request.ssl.clientCertificate.subject}
    * Evaluate Regular Expression "\s*\+\s*" on origSubject and replace with a space <-- use a space char in replacement so the encoded + becomes actual space
    * Split origSubject into modSubject on \s*,\s*
    * Set context var revSubject as string to empty <-- Placeholder variable
    * Run assertions for each item of modSubject as modSubject.attribute
    - Set context var revSubject as String to ${modSubject.attribute},${revSubject}
    * Evaluate regular expression",$" on revSubject and replace with nothing  <-- removes trailing comma

    Create ASI Value
    * Ser var altSecurityIdentity Expression: X509:<I>${revIssuer}<S>${revSubject}

    Since it's built straight from the Issuer and Subject strings, it is extensible to all the strings coming in - at least we haven't really run into any that failed it yet. Biggest hassle was having to reverse and clean up the strings due to the direction the variables are set by the API GW versus what's actually stored in the Microsoft ASI attribute.

  • 3.  RE: ldap query using altSecurityIdentities

    Posted May 18, 2020 07:25 AM

    Thank you Chris,

    I will try your setup.

    SR. System Engineer