Check LDAP if object exist with filter based on user's certificate attributest after EAP-TLS auth succeeds?
Alexey D. Filimonov
alexey at filimonic.net
Sun Nov 3 23:55:17 UTC 2024
In short, I have EAP-TLS auth, and I need to check if there is an LDAP
object that has value of `TLS-Client-Cert-Subject-Alt-Name-Upn` in
`krbCanonicalName` attribute and it's `createTimestamp` is less or equal
than `TLS-Client-Cert-Valid-Since` value.
1. I found that `TLS-Client-Cert-Subject-Alt-Name-Upn` attribute is
created only inside `authenticate { Auth-Type eap { ... }}` section.
Is it correct that I have no access to certificate properties inside
`authorize` section?
2. Next, I found that according to [rlm_ldap guide from
networkradius](https://www.networkradius.com/doc/current/raddb/mods-available/ldap.html),
ldap module can `look for user` only inside `authorize` section, but not
inside `authenticate`.
Is it correct I can not make a check for existence of an object in LDAP
from `authenticate` section using `rlm_ldap` module, and only xlat-ing
can be used?
3. I found that there are some xlat functions exposed by `rlm_ldap`
module, but they are only mentioned in my `mods-available/ldap`, and not
documented in `3.2.x` branch on github.
I vave FreeRADIUS version from debian-stable and it is `3.2.1`.
Is raddb/mods-available/ldap from master branch is useful as
documentation for 3.2.1 ldap?
More information about the Freeradius-Users
mailing list