Every certificate contains the subject name as
CN.
For example, CN = John D, CN = Users, DC = train, DC = local. Refer to the following image:
The
CN attribute is also used in LDAP. So, you can configure LDAP as the auth server for AD and configure the filter for finding the user entry as
CN=<USER>; as shown in the following image:
Now go to the Realm, which is configured for the certificate, configure the LDAP as secondary auth server and configure
predefined with the
<certattr.cn> attribute; as shown in the following image:
When you access the URL, the
Choose a digital certificate window is displayed:
Subsequently, the LDAP password window is displayed:
After typing the required credentials, you will have access.
Excerpt from the Policy trace:
info - [10.130.35.244] - Root::John D(John)[] - 2011/08/13 05:05:04 - Variable userDNText@John LDAP = "CN=John D,CN=Users,DC=train,DC=local"
info - [10.130.35.244] - Root::John D(John)[] - 2011/08/13 05:05:04 - Variable userAttr@John LDAP.cn = "John D"
info - [10.130.35.244] - Root::John D(John)[] - 2011/08/13 05:05:04 - Variable userAttr@John LDAP.sAMAccountName = "john"
info - [10.130.35.244] - Root::John D(John)[] - 2011/08/13 05:05:04 - Mapped to roles John by rule 'certAttr.cn = '*''
info - [10.130.35.244] - Root::John D (John)[] - 2011/08/13 05:05:04 - Realm John mapped user John D to roles John
info - [10.130.35.244] - Root::John D(John)[] - 2011/08/13 05:05:04 - Role restrictions successfully passed for roles: John
info - [10.130.35.244] - Root::john d(John)[John] - 2011/08/13 05:05:04 - Sign-in successful, creating session
info - [10.130.35.244] - Root::John D(John)[John] - 2011/08/13 05:05:04 - Session created, redirecting user to start page. Sign-in done.
