Symantec Access Management

 View Only
  • 1.  Siteminder/PKI authentication

    Posted Jun 17, 2014 11:34 AM

    I have a strange issue with PKI certificate authentication with Siteminder Policy Server. The working configuration is detailed below first.

     

    The SubjectDN of the cert is : C=Country1, L=Location1, O=Organization1, OU=OrganizationUnit1, OU=OrganizationUnit2, OU=OrganizationUnit3, CN=CommonName1

     

    I have configured the auth scheme and certificate mapping to use OU to validate the user's identity and I configured the user's LDAP profile to have attr1 with value == OrganizationUnit1 e.g. LDAP query filter looks like (&(attr1=OrganizationUnit1-from cert)(objectClass=inetorgperson)) and this works fine.

     

    Issue:

    I have a few set of certificates that have SubjectDN as given below, in the reverse order. And I want to make my current setting to work for the below case too. Unfortunately authentication does not work for the below certificate SubjectDN. Because it is not able to match the value against the LDAP correctly.

    CN=CommonName1, OU=OrganizationUnit3, OU=OrganizationUnit2,OU=OrganizationUnit1,O=Organization1,L=Location1,C=Country1

     

    The query that I can see in the LDAP is (&(attr1=OrganizationUnit3- from cert)(objectClass=inetorgperson))

     

    Resolution tried:

    I have tried to configure custom mapping like %{OU3/OU}. And as expected this will only work for cases when either of them is present and not for cases when both present. I have raised a case with CA and they advised that this will not work as Policy server uses the first OU it encounters to check against LDAP mapping and it does not support reverse look up.

     

    Question:

    Out of box, does Siteminder support either or case i.e. OU1 or OU3?. If so, how to configure this in the certificate mapping? if someone has already seen such kind of requirements, please kindly suggest.

     

    We are also working with the clients to map to a full subject DN, but until this is available we are looking for a short term solution.



  • 2.  Re: Siteminder/PKI authentication

    Posted Jul 08, 2014 09:59 AM

    I have a strange issue with PKI certificate authentication with Siteminder Policy Server. The working configuration is detailed below first.

     

    The SubjectDN of the cert is : C=Country1, L=Location1, O=Organization1, OU=OrganizationUnit1, OU=OrganizationUnit2, OU=OrganizationUnit3, CN=CommonName1

     

    I have configured the auth scheme and certificate mapping to use OU to validate the user's identity and I configured the user's LDAP profile to have attr1 with value == OrganizationUnit1 e.g. LDAP query filter looks like (&(attr1=OrganizationUnit1-from cert)(objectClass=inetorgperson)) and this works fine.

     

    Issue:

    I have a few set of certificates that have SubjectDN as given below, in the reverse order. And I want to make my current setting to work for the below case too. Unfortunately authentication does not work for the below certificate SubjectDN. Because it is not able to match the value against the LDAP correctly.

    CN=CommonName1, OU=OrganizationUnit3, OU=OrganizationUnit2,OU=OrganizationUnit1,O=Organization1,L=Location1,C=Country1

     

    The query that I can see in the LDAP is (&(attr1=OrganizationUnit3- from cert)(objectClass=inetorgperson))

     

    Resolution tried:

    I have tried to configure custom mapping like %{OU3/OU}. And as expected this will only work for cases when either of them is present and not for cases when both present. I have raised a case with CA and they advised that this will not work as Policy server uses the first OU it encounters to check against LDAP mapping and it does not support reverse look up.

     

    Question:

    Out of box, does Siteminder support either or case i.e. OU1 or OU3?. If so, how to configure this in the certificate mapping? if someone has already seen such kind of requirements, please kindly suggest.

     

    We are also working with the clients to map to a full subject DN, but until this is available we are looking for a short term solution.

    Hey Security Community,

     

    Any thoughts for nantha here?

     

    -Kristen



  • 3.  Re: Siteminder/PKI authentication

    Posted Jul 08, 2014 11:20 AM

    Actually from my reading of the doc, the custom mapping %{OU3/OU} should have worked. That custom mapping means use OU3 if it exists, but if it doesn't exist use OU. Since there will only be an OU3 if there also an OU (the first OU in a subject DN with multiple OUs), this must work in the case when both are present.

     

    To exactly quote from the R12.52 doc:

     

    %{attribute_name2/attribute_name}

     

    Using the example from above, you could enter %{SN2/SN} as a custom mapping to indicate that the second number in the Subject DN should be used if it exists, otherwise, the first occurrence of the account number attribute should be used.

     

    So I would recommend that you ask your CA account rep/salesperson to get your support case escalated to a higher level support person or SiteMinder engineer.




  • 4.  Re: Siteminder/PKI authentication

    Posted Jun 06, 2017 12:44 PM

    I know I am a little late to the party on this question, but why not just use one of the following LDAP queries?

     

    (|(&(attr1=OrganizationUnit1-from cert)(objectClass=inetorgperson))(&(attr1=OrganizationUnit3- from cert)(objectClass=inetorgperson)))

     

    or 

     

    (&(objectClass=inetorgperson)(|(attr1=OrganizationUnit1-from cert)(attr1=OrganizationUnit3- from cert)))

     

    either of these should work