cancel
Showing results for 
Search instead for 
Did you mean: 

Role Mapping in User Realm w/ Authentication through M$ ADCS

New Contributor

Role Mapping in User Realm w/ Authentication through M$ ADCS

Hi Gurus,

I want some users to connect transparently to our Gateway using a certificate signed by our private PKI.
The problem, I'm facing is with the Role Mapping restriction where I want to use Group Membership.

The Certificate Auth Server Looks for which value is: valiere.j-c@DOMAIN.tld
I can alos use which value would then be: Valiere Jean-Christophe

On the LDAP/AD Authentication server, I look for user entries using the following filter: samAccountName=, which value is: valiere.j-c
I could also use cn=, which value would then be: Valiere Jean-Christophe
The Group Membership filter is: cn= and Member Attribute is member.

Finally. the Subject of my Certificate is as below:
E = valiere.jean-christophe@domain.tld
CN = Valiere Jean-Christophe
OU = SIT
OU = Administrator Accounts
OU = ORG
DC = DOMAIN
DC = tld

And the Subject Alternative Name is as below:
Principal Name = valiere.j-c@DOMAIN.tld
RFC822 Name = valiere.jean-christophe@DOMAIN.tld

The issue is that I can't have a match between user and group membership because the CN of the certificate is "Valiere Jean-Christophe" and my samAccountName value is: valiere.j-c

My guess is that I would have to change the certificate Subject, unfortunatelly, I'm pretty limited with the options of the certificate Subject & Subject Alternative Name.

Is there any way I can request the CN of user from the samAccountName to then find if the user belong to the group ?

Hope I have been clear :-)

Thanks & Best Regards,
Jean-Christophe Valiere
1 REPLY 1
Moderator

Re: Role Mapping in User Realm w/ Authentication through M$ ADCS

can you change your lookup on the LDAP username from sAMAccountName to userPrincipleName?