For starting it should be enough but what I am not able to do is to set up the correct sequence. First I need to extract the CN field (which can be done and I Already did and I can set up a list of allowed CN in hte users file), and after I need to do an LDAP query to check for authorization. How can I do the following in this exact order ? LDAP authorization is tryed first then comes authentication or am I wrong ? What I'd need is to extract the CN and check it against LDAP attributes... How might I do it ? thank you Riccardo Alan DeKok wrote:
Edgar Fuß wrote:
I don't understand. rlm_eap's check_cert_cn must be able to extract the CN from the user certificate in order to check it against User-Name (or whatever).
Yes...
Or at least, with check_cert_cn = %{User-Name}, you can substitute User-Name for an extracted CN for whatever additional lookup you need.
Yes.
Or am I getting it wrong?
No. But there's no code to extract other fields from the cert.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html