Topic
5 replies Latest Post - ‏2011-08-19T14:32:50Z by SystemAdmin
SystemAdmin
SystemAdmin
6772 Posts
ACCEPTED ANSWER

Pinned topic credential map breaks LDAP query for authorization in AAA policy

‏2009-10-13T16:40:04Z |
Hey guys, I have a weird one. I'm trying to create a credential map stylesheet to grab the ldap formatted dn of the authenticated ssl certificate (instead of x509).

the stylesheet looks like this:


<?xml version=
"1.0" encoding=
"UTF-8"?> <xsl:stylesheet xmlns:dp=
"http://www.datapower.com/extensions" exclude-result-prefixes=
"dp" extension-element-prefixes=
"dp" version=
"1.0" xmlns:xsl=
"http://www.w3.org/1999/XSL/Transform"> <xsl:output method=
"xml" /> <xsl:template match=
"/"> <xsl:copy-of select=
"*" /> <!-- <xsl:element name=
"credentials"> <xsl:element name=
"entry"> <xsl:element name=
"dn"> <xsl:copy-of select=
"dp:auth-info('ssl-client-subject','ldap-strict')" /> </xsl:element> </xsl:element> </xsl:element> --> </xsl:template> </xsl:stylesheet>


here's the thing... this stylesheet does nothing but dump out what you put in to it. all the parts that do the work and reverse the DN are commented out. It should do nothing. Instead, it seems to break the LDAP directory lookup in the authorization phase.

If I set the map-credentials to 'none' so that nothing happens in that phase of AAA, the LDAP lookup fires and the lookup fails because the cert doesn't match what's in AD as expected.

As soon as I put in any credential map sheet, it's as if the LDAP query is failing before it even starts:


12:18:28     multistep       error   1571809 >    172.29.11.157   0x01d30002      mpgw (cssession): AAA Authorization Failure 12:18:28    aaa     debug   1571809 >    172.29.11.157   0x80c0006b      mpgw (cssession): Policy(x509-LDAP): ldap authorization failed with credential 
'SPECIAL-FORMAT-NOT-PRINTED' 

for resource 
'/cssession/iws/SessionManagerService' 12:18:28   aaa     debug   1571809 >    172.29.11.157   0x80c0006b      mpgw (cssession): Policy(x509-LDAP): Mapped-Credentials format is special. One or more 
'entry' child elements are expected. 12:18:28  aaa     debug   1571809 >    172.29.11.157   0x80c0006b      mpgw (cssession): Policy(x509-LDAP): Cached Authorize entry 12:18:28    aaa     debug   1571809 >    172.29.11.157   0x80c0006b      mpgw (cssession): Policy(x509-LDAP): Authorizing with 
"ldap" 12:18:28        aaa     debug   1571809 >    172.29.11.157   0x80c0006b      mpgw (cssession): Policy(x509-LDAP): Authorize cache check with key=
'authz<container><mapped-credentials type="stylesheet" au-success="true" url="local:///getCertSubjDN.xsl"><credentials><entry type="client-ssl">/DC=org/DC=citistreet/DC=corp/OU=Administration/OU=Service Accounts/CN=~wsrsapp</entry></credentials></mapped-credentials><mapped-resource type="none"><resource><item type="original-url">/cssession/iws/SessionManagerService</item></resource></mapped-resource><identity><entry type="client-ssl"><dn>/DC=org/DC=citistreet/DC=corp/OU=Administration/OU=Service Accounts/CN=~wsrsapp</dn><issuer>/C=US/ST=Massachusetts/O=CitiStreet,LLC/OU=Webservices/CN=Unit Application Authority/emailAddress=webservices@citistreetonline.com</issuer><serial>106</serial></entry></identity><au-ancillary-info>MIID9zCCA2CgAwIBAgIBajANBgkqhkiG9w0BAQQFADCBqjELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMxFzAVBgNVBAoTDkNpdGlTdHJlZXQsblue42blue42huthuthikeQLEwtXZWJzZXJ2aWNlczEjMCEGA1UEAxMaVW5pdCBBcHBsaWNhdGlvbiBBdXRob3JpdHkxLzAtBgkqhkiG9w0BCQEWIHdlYnNlcnZpY2VzQGNpdGlzdHJlZXRvbmxpbmUuY29tMB4XDTA5MTAwODE1NTgwM1oXDTEwMTAwODE1NTgwM1owgY4xEzARBgoJkiaJk/IsZAEZEwNvcmcxGjAYBgoJkiaJk/IsZAEZEwpjaXRpc3RyZWV0MRQwEgYKCZImiZPyLGQBGRMEY29ycDEXMBUGA1UECxMOQWRtaW5pc3RyYXRpb24xGTAXBgNVBAsTEFNlcnZpY2UgQWNjb3VudHMxETAPBgNVBAMUCH53c3JzYXBwMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDAA2iC2m6k9lSsTFc7ZjSVzDU5YlrYWGsmgvNV9iTuVRAqAmc4Z6qQP4Q97O8jt86xyecajVqcGaUXxrWWkM4/cZGQlb/uQmDrL2SkwpASqVssiBpAYQX8bBkGAUIUDHzfdV9Mkxb3UJG3UIcV0WI4+IefqrSSzT2fmB46qJh45QIDAQABo4IBRTCCAUEwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFF/+hvu23euK0cKS6p1AtwBbEAidMIHmBgNVHSMEgd4wgduAFPGsXaqW5dLjrma2q5m5LHYZ5nDroYG/pIG8MIG5MQswCQYDVQQGEwJVUzEWMBQGA1UECBMNTWFzc2FjaHVzZXR0czEXMBUGA1UEChMOQ2l0aVN0cmVldCxMTEMxFDASBgNVBAsTC1dlYnNlcnZpY2VzMTIwMAYDVQQDEylBcHBsaWNh 12:18:28        aaa     debug   1571809 >    172.29.11.157   0x80c0006b      mpgw (cssession): Policy(x509-LDAP): Authorize Caching is on: absolute 12:18:28 aaa     debug   1571809 >    172.29.11.157   0x80c0006b      mpgw (cssession): Policy(x509-LDAP): Mapping resources using none 12:18:28      xslt    debug   1571809         172.29.11.157   0x80a002ac      xmlmgr (

default): xsltlocal:
///getCertSubjDN.xsl 12:18:28       xslt    debug   1571809         172.29.11.157   0x80a002aa      xmlmgr (

default): xsltlocal:
///getCertSubjDN.xsl 12:18:28       aaa     debug   1571809 >    172.29.11.157   0x80c0006b      mpgw (cssession): Policy(x509-LDAP): Mapping credentials using custom


So... is there something wrong with my stylesheet? Am I missing something?
Updated on 2011-08-19T14:32:50Z at 2011-08-19T14:32:50Z by SystemAdmin
  • JimBrennan
    JimBrennan
    20 Posts
    ACCEPTED ANSWER

    Re: credential map breaks LDAP query for authorization in AAA policy

    ‏2009-10-13T20:07:26Z  in response to SystemAdmin
    It seems as if the mapped credential is not in the correct format. The log message "Mapped-Credentials format is special. One or more 'entry' child elements are expected." is telling you that the mapped credential should contain an <entry> element. Instead of passing the input to the the mapped credential as is, try extracting the identity and adding it to an <entry> element and adding to the output. Check the probe to see what format it is expecting.
  • SystemAdmin
    SystemAdmin
    6772 Posts
    ACCEPTED ANSWER

    Re: credential map breaks LDAP query for authorization in AAA policy

    ‏2009-10-14T21:04:47Z  in response to SystemAdmin
    You are correct sir. The output is supposed to be "one or more entry objects" just like the error says. I did have that but was also wrapping that in a credentials tag like the incoming xml.

    What was particularly confusing was that, in the gui, it looks like the credential is mapped successfully when you view context vars in the probe. I could see the old Dn in the AU variable and the new one in the MC variable. The only thing that appeared to be wrong was the log message and the udder failure of the Ldap query with hardly a peep in the log.

    Thanks Jim for all your help!
    --steev
  • SystemAdmin
    SystemAdmin
    6772 Posts
    ACCEPTED ANSWER

    Re: credential map breaks LDAP query for authorization in AAA policy

    ‏2011-08-18T15:40:50Z  in response to SystemAdmin
    How are you mapping the credentials, and what is the output from Map Credentials?
  • SystemAdmin
    SystemAdmin
    6772 Posts
    ACCEPTED ANSWER

    Re: credential map breaks LDAP query for authorization in AAA policy

    ‏2011-08-18T20:41:48Z  in response to SystemAdmin
    Can you provide more details on your RBM setup? It looks like you are using custom XSL for both authentication and credential mapping. Can you paste your xslt here, or at least the parts that generate output?
    • SystemAdmin
      SystemAdmin
      6772 Posts
      ACCEPTED ANSWER

      Re: credential map breaks LDAP query for authorization in AAA policy

      ‏2011-08-19T14:32:50Z  in response to SystemAdmin
      Hi Peter ,

      Here is the file :

      <aaa:AAAInfo xmlns:dpfunc="http://www.datapower.com/extensions/functions" xmlns:aaa="http://www.datapower.com/AAAInfo">
      <aaa:FormatVersion>1</aaa:FormatVersion>
      <aaa:Filename>local:///RBM.xml</aaa:Filename>
      <aaa:Summary>This is an example of the file format.</aaa:Summary>
      <!-- Determine credential from output of the extract-identity phase. --><aaa:Authenticate>

      <aaa:Username>acc_ldap_user</aaa:Username>
      <aaa:Password>password</aaa:Password>
      <aaa:OutputCredential>acc_ldap_user</aaa:OutputCredential>
      </aaa:Authenticate>

      <aaa:Authenticate>
      <aaa:Username>acc_ldap_user</aaa:Username>
      <aaa:Password>password</aaa:Password>
      <aaa:OutputCredential>OU=acc_ldap_user ,OU=domain1s,OU=people,DC=company,DC=extenal,DC=LTD</aaa:OutputCredential>
      </aaa:Authenticate>

      <aaa:Authenticate>
      <aaa:Username>user_group</aaa:Username>
      <aaa:Password>company</aaa:Password>
      <aaa:OutputCredential>CN=user_group,OU=groups,DC=company,DC=extenal,DC=LTD</aaa:OutputCredential>
      </aaa:Authenticate>
      <!-- Specify credential (if any) to use when there is no authenticated identity. --><aaa:Authenticate>
      <aaa:Any/>

      <aaa:OutputCredential>OU=acc_ldap_user ,OU=domains,DC=company,DC=extenal,DC=LTD</aaa:OutputCredential>
      </aaa:Authenticate>
      <!-- Map credentials to different credentials. --><aaa:MapCredentials>

      <aaa:InputCredential>CN=acc_ldap_user,OU=domain1s,DC=company,DC=extenal,DC=LTD</aaa:InputCredential>
      <aaa:OutputCredential>x.x.x.x/default/*?Access=r+w+a+d+x
      x.x.x.x/domain1/*?Access=r+w+a
      x.x.x.x/development/*?Access=r
      </aaa:OutputCredential>
      </aaa:MapCredentials>

      <aaa:MapCredentials>
      <aaa:InputCredential>acc_ldap_user</aaa:InputCredential>
      <aaa:OutputCredential>*/default/*?Access=rxdaw
      */domain1/*?Access=rdaw
      */development/*?Access=rw
      </aaa:OutputCredential>
      </aaa:MapCredentials>

      <aaa:MapCredentials>
      <aaa:InputCredential>user_group</aaa:InputCredential>
      <aaa:OutputCredential>x.x.x.x/default/*?Access=r+w+a+d+x
      </aaa:OutputCredential>
      </aaa:MapCredentials>
      <!-- Determine resource from output of the extract-resource phase. -->
      <!-- Authorize access to resource for credentials. --></aaa:AAAInfo>
      Karthik