Role Mapping in User Realm w/ Authentication through M$ ADCS
I want some users to connect transparently to our Gateway using a certificate signed by our private PKI. The problem, I'm facing is with the Role Mapping restriction where I want to use Group Membership.
The Certificate Auth Server Looks for which value is: valiere.j-c@DOMAIN.tld I can alos use which value would then be: Valiere Jean-Christophe
On the LDAP/AD Authentication server, I look for user entries using the following filter: samAccountName=, which value is: valiere.j-c I could also use cn=, which value would then be: Valiere Jean-Christophe The Group Membership filter is: cn= and Member Attribute is member.
Finally. the Subject of my Certificate is as below: E = firstname.lastname@example.org CN = Valiere Jean-Christophe OU = SIT OU = Administrator Accounts OU = ORG DC = DOMAIN DC = tld
And the Subject Alternative Name is as below: Principal Name = valiere.j-c@DOMAIN.tld RFC822 Name = valiere.jean-christophe@DOMAIN.tld
The issue is that I can't have a match between user and group membership because the CN of the certificate is "Valiere Jean-Christophe" and my samAccountName value is: valiere.j-c
My guess is that I would have to change the certificate Subject, unfortunatelly, I'm pretty limited with the options of the certificate Subject & Subject Alternative Name.
Is there any way I can request the CN of user from the samAccountName to then find if the user belong to the group ?