cancel
Showing results for 
Search instead for 
Did you mean: 

Cert and LDAP lookup

SOLVED
Rauno
Occasional Contributor

Cert and LDAP lookup

Hello,

 

I have a realm with first authenication set to certificate check with User Directory/Attribute: pointing to LDAP. 

First problem: Users who can pass the certificate check, but are not in that LDAP server are still allowed to proceed to secondary authentication. In the Policy trace there is message " User lookup failed to LDAP server XXX". Is there any way to make the LDAP lookup mandatory requirement?
Second problem: Users are currently allowed to enter their secondary auth. username. This is done yet again against the same LDAP. From pulses view this can be even completely different user from that LDAP server. Now when user had certificate and passed the first auth, but didn't had account on that LDAP server, he/she can use another user account and permissions are given based on the secondary user rights... 

Well the last one can be mittigated by denying user the right to input the secondary username, BUT is this just some UI feature or could someone more advanced still send different username?

1 ACCEPTED SOLUTION

Accepted Solutions
r@yElr3y
Moderator

Re: Cert and LDAP lookup

@Rauno So, you do want the same username that VPN fetched from the user certificate to be used for the secondary auth as well and deny the users from providing different username, correct?

 

We can configure the VPN server to use the same username by choosing the

 option under the secondary auth username in user realm. Once that's set, users cannot override and provide manual username during secondary auth.

 

For the LDAP lookup part, it cannot be mandatory because it's an authorization check, however, the users who fail during user lookup cannot use LDAP authorization anyway, hence based on your role mapping like group membership check will make them to fail post auth.

 

Interesting thing that you pointed out is about the permissions given based on the secondary auth, so are you using the username variable as <USERNAME[2]> under the LDAP auth instance?, because by default, authorization will be done against the primary auth's username (cert in your case).

 

Hope this helps!

 

 

 

PCS Expert
Pulse Connect Secure Certified Expert

View solution in original post

1 REPLY 1
r@yElr3y
Moderator

Re: Cert and LDAP lookup

@Rauno So, you do want the same username that VPN fetched from the user certificate to be used for the secondary auth as well and deny the users from providing different username, correct?

 

We can configure the VPN server to use the same username by choosing the

 option under the secondary auth username in user realm. Once that's set, users cannot override and provide manual username during secondary auth.

 

For the LDAP lookup part, it cannot be mandatory because it's an authorization check, however, the users who fail during user lookup cannot use LDAP authorization anyway, hence based on your role mapping like group membership check will make them to fail post auth.

 

Interesting thing that you pointed out is about the permissions given based on the secondary auth, so are you using the username variable as <USERNAME[2]> under the LDAP auth instance?, because by default, authorization will be done against the primary auth's username (cert in your case).

 

Hope this helps!

 

 

 

PCS Expert
Pulse Connect Secure Certified Expert

View solution in original post