11-11-2010 02:35 PM
Dear all,
We are using the following subject in our X.509 certificate:
cn=Jack Sparrow,cn=CSN123875,cn=Users,dc=dacomp,dc=cz
I would like to use the second cn as a value for ldap search. I have thought that username-from-certificate command in tunnel-group could do the trick, but If I use "username-from-certificate CN" only the last cn from certificate is returned (in the case of the above mentioned example it is "Users" string). I also tried to use lua stcript, but with no avail. Is ther any lua variable like "return cert.subject.dn" that contain whole distinguished name from subject or any other possibility that could help me to use any CN from certificate subject as a user name? We are using asa822-k8.bin (ASDM 6.3(1)) software version. Any answer would be very appreciated. Thank you very much.
Yours sincerely,
Zdenek Rottenberg
Solved! Go to Solution.
11-29-2010 01:08 AM
Hi Zdenek
great, thanks for letting us know!
BTW please mark the thread as resolved, thanks!
cheers
Herbert
11-16-2010 02:42 AM
Hi Zdenek,
have you tried using a LUA regular expression, i.e. something like
cn=%a+,cn=(%a+),cn=%a+
hth
Herbert
11-16-2010 03:20 PM
Hi Herbert,
first of all thank you very much for your answer.
Yes, it is true that I can use regular expressions, but regular expressions must be applied to a variable. The following table represents lists of supported variables (this is for ASA sw 8.2(2) and ASDM 6.3.(1)):
As you can see there are no variable which represents the complete subject.
The variable cert.subject.cn return the last CN in the subject. So, a regular expression would be applied to string "Users" if the certificate subject is CN=rotten,CN=Users,DC=test,DC=cz. I have not find the way to apply the regular expression on the whole distinguished name yet. I tryed to use some lua functions like "return findpattern(cert.subject.cn,"%a+")" and it does not work.
Take care,
Zdenek
11-21-2010 01:44 PM
Can't try this out in the lab right now, but maybe you can try using just "cert.subject" ?
11-21-2010 11:59 PM
I have already tried to use the cert.subject variable and it did not work. I think it could not be serious problem because moust certificate subjects have one CN. In case of more than one CNs, choosing the last CN is not good behaviour of course (it is my opinion). I am going to try upgrade from 8.2.2 to the latest version (within one or two weeks) and give it one more try to find the solution. Then let you know the result.
Take care
Zdenek Rottenberg
11-24-2010 07:18 AM
Hi Zdenek,
I think I found the solution, there is a variable cert.subject.fulldn that you can use, e.g.
local a,b,c;
a,b,c = string.find( cert.subject.fulldn, ',cn=(.+),cn=Users' );
return c;
hth
Herbert
11-24-2010 11:10 AM
Hi Herbert,
The variable cert.subject.fulldn is valid variable and if you write script:
return cert.subject.fulldn
you will see (in wireshark) valid LDAP query with search string containing whole DN. This is incredible result. By the way, where did you find this variable?The script itself did not worked, but I think I have enought information to complete the script by myself.
I am, of course, going to inform you about the results of my ongoing tests.
Thank you very much for your help.
Take care,
Zdenek Rottenberg
11-24-2010 01:33 PM
Hi Zdenek,
strange, the script worked ok for me. My test certificate has:
cn=John Doe,cn=jdoe,cn=users,ou=employees
and with the script I posted (except with 'users' instead of 'Users' in the pattern, I just changed that to match your example) I get 'jdoe' as result.
Anyway have fun debugging the script and let me know if I can still help
And to answer your question: I used internal Cisco resources ;-)
cheers
Herbert
11-28-2010 03:03 PM
Hi Herbert,
Finally I managed to find out where the problem was. The problem was in asa822-k8.bin or asdm-631.bin (or in both of them) software. After migrating to asa832-4-k8.bin and asdm-634-53.bin everything starts to work correctly. Thank you very much for your help.
take care,
Zdenek
11-29-2010 01:08 AM
Hi Zdenek
great, thanks for letting us know!
BTW please mark the thread as resolved, thanks!
cheers
Herbert
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: