I have a strange issue with PKI certificate authentication with Siteminder Policy Server. The working configuration is detailed below first.
The SubjectDN of the cert is : C=Country1, L=Location1, O=Organization1, OU=OrganizationUnit1, OU=OrganizationUnit2, OU=OrganizationUnit3, CN=CommonName1
I have configured the auth scheme and certificate mapping to use OU to validate the user's identity and I configured the user's LDAP profile to have attr1 with value == OrganizationUnit1 e.g. LDAP query filter looks like (&(attr1=OrganizationUnit1-from cert)(objectClass=inetorgperson)) and this works fine.
Issue:
I have a few set of certificates that have SubjectDN as given below, in the reverse order. And I want to make my current setting to work for the below case too. Unfortunately authentication does not work for the below certificate SubjectDN. Because it is not able to match the value against the LDAP correctly.
CN=CommonName1, OU=OrganizationUnit3, OU=OrganizationUnit2,OU=OrganizationUnit1,O=Organization1,L=Location1,C=Country1
The query that I can see in the LDAP is (&(attr1=OrganizationUnit3- from cert)(objectClass=inetorgperson))
Resolution tried:
I have tried to configure custom mapping like %{OU3/OU}. And as expected this will only work for cases when either of them is present and not for cases when both present. I have raised a case with CA and they advised that this will not work as Policy server uses the first OU it encounters to check against LDAP mapping and it does not support reverse look up.
Question:
Out of box, does Siteminder support either or case i.e. OU1 or OU3?. If so, how to configure this in the certificate mapping? if someone has already seen such kind of requirements, please kindly suggest.
We are also working with the clients to map to a full subject DN, but until this is available we are looking for a short term solution.