Query to Validate an IP Address and Certificate
This procedure assumes that you have already created a certificate authentication definition. Complete the procedure, Attribute Query Definition to create an assertion to compare the incoming IP address against the list of IP addresses assigned to the user.
The FindHostGroup query you define looks up the host group corresponding to the certificate's organization and including the incoming IP address as a member. If the group is not found, the certificate validation request fails.
Use the values in the following tables to determine the values to assign in Sterling External Authentication Server. Use the first set of values to define the query to look up an incoming IP address and the second values to create a query to find the host group for the certificate's organization. When you add the queries you defined, place the first query called FindHostDN first in the order and FindHostGroup second in the list.
| Sterling External Authentication Server Field | Value to Assign |
|---|---|
| Name | Name of the attribute query definition, for example, FindHostDN. |
| Connection Specification | Use globally defined connection Select the connection definition for the AD server. |
| Specify query parameters | To define the query parameters |
| Base DN | Distinguished name for the hosts container, for example, CN=Allowed Hosts,CN=SEAS,DC=example,DC=com. |
| Return Attributes | dn, flags |
| Scope | One Level |
| Match Attributes | Name=ipNetworkNumber Value=IpAddress |
| Attribute Assertions Definitions | |
| Name | Name for the assertion |
| Assertions | {attr[FindUserIPAddrs].ipHostNumber} == any || {attr[FindUserIPAddrs].ipHostNumber} == {ipAddress} |
| Sterling External Authentication Server Field | Value to Assign |
| Name | Name of the attribute query definition, for example, FindHostGroup |
| Connection Specification | Use globally defined connection Select the connection definition for the AD server |
| Specify query parameters | To define the query parameters |
| Base DN | Distinguished name for the hosts group, for example, CN=Host Groups,CN=SEAS,DC=example,DC=com). |
| Return Attributes | dn, uniqueMember |
| Scope | One Level |
| Match Attributes | Name=o Value=I{subject.o, none} Name uniqueMember Value= {attr[FindHostDN].dn} Note: Certificate subjects may not
have an organization. Specify None if the certificate subject does
not have an organization. You can create a host group named No Org
Hosts with an o attribute equal to none to group hosts that present
certificates with no organizations.
|