We are using the following subject in our X.509 certificate:
I would like to use the second cn as a value for ldap search. I have thought that username-from-certificate command in tunnel-group could do the trick, but If I use "username-from-certificate CN" only the last cn from certificate is returned (in the case of the above mentioned example it is "Users" string). I also tried to use lua stcript, but with no avail. Is ther any lua variable like "return cert.subject.dn" that contain whole distinguished name from subject or any other possibility that could help me to use any CN from certificate subject as a user name? We are using asa822-k8.bin (ASDM 6.3(1)) software version. Any answer would be very appreciated. Thank you very much.
Solved! Go to Solution.
have you tried using a LUA regular expression, i.e. something like
first of all thank you very much for your answer.
Yes, it is true that I can use regular expressions, but regular expressions must be applied to a variable. The following table represents lists of supported variables (this is for ASA sw 8.2(2) and ASDM 6.3.(1)):
Subject Serial Number
Issuer Serial Number
Certificate Serial Number
User Principal Name
As you can see there are no variable which represents the complete subject.
The variable cert.subject.cn return the last CN in the subject. So, a regular expression would be applied to string "Users" if the certificate subject is CN=rotten,CN=Users,DC=test,DC=cz. I have not find the way to apply the regular expression on the whole distinguished name yet. I tryed to use some lua functions like "return findpattern(cert.subject.cn,"%a+")" and it does not work.
I have already tried to use the cert.subject variable and it did not work. I think it could not be serious problem because moust certificate subjects have one CN. In case of more than one CNs, choosing the last CN is not good behaviour of course (it is my opinion). I am going to try upgrade from 8.2.2 to the latest version (within one or two weeks) and give it one more try to find the solution. Then let you know the result.
I think I found the solution, there is a variable cert.subject.fulldn that you can use, e.g.
a,b,c = string.find( cert.subject.fulldn, ',cn=(.+),cn=Users' );
The variable cert.subject.fulldn is valid variable and if you write script:
you will see (in wireshark) valid LDAP query with search string containing whole DN. This is incredible result. By the way, where did you find this variable?The script itself did not worked, but I think I have enought information to complete the script by myself.
I am, of course, going to inform you about the results of my ongoing tests.
Thank you very much for your help.
strange, the script worked ok for me. My test certificate has:
and with the script I posted (except with 'users' instead of 'Users' in the pattern, I just changed that to match your example) I get 'jdoe' as result.
Anyway have fun debugging the script and let me know if I can still help
And to answer your question: I used internal Cisco resources ;-)
Finally I managed to find out where the problem was. The problem was in asa822-k8.bin or asdm-631.bin (or in both of them) software. After migrating to asa832-4-k8.bin and asdm-634-53.bin everything starts to work correctly. Thank you very much for your help.