x509 auth LDAP match

[Bengt Wällstedt]

Hi!

We are planning to use the x509 module for authentication with swedish e-identity certificates on smartcards or Yubikeys. The matching attribute between certificate subject and LDAP account is personal identity number.  The situation here is that the LDAP directory keeps the users in a flat structure and there may be more than one user account in the directory for one single person. The account types are separated by the attribute employeeType and the x509 module should ideally only se accounts with employeeType=Employee. However, the x509 module appears to see all accounts regardless of the LDAP filter specified in the LDAP authsource, and if there is more than one user account with a particular personal identity number we get "Authentication failed: the certificate your browser sent is unknown".
Apparently the x509 module uses only the connection information and not the filter. Is there a way to sneak in a filter statement like (employeeType=Emp*) somewhere to make the module find only the correct user accounts?

Kind regards

Bengt W

[Tim van Dijen]

Hi Bengt,

I think I have the patch here:  https://github.com/simplesamlphp/simplesamlphp-module-authX509/pull/27
Would you be able to verify it for me?

I think with the patch in place you should be able to set the filter to:  (&({uid_key}={user_identifier})(employeeType=Emp*))

- Tim

Op maandag 14 april 2025 om 15:25:24 UTC+2 schreef bengt.w...@gmail.com:

[Bengt Wällstedt]

Hi Tim!

Thanks! That was quick... But I don't think I fully understand how to set things up properly. I have, in authsources.php:

    'certificate' => [
        'authX509:X509userCert',
        'backend' => '<LDAP dir>',
        'authX509:x509attributes' => ['serialNumber' => 'workforceID'],
        'authX509:ldapusercert' => null,
    ],
That is, the value I use in the certificate subject dn is serialNumber and that is matched against the value in workforceID in the directory. In the ldap:ldap authsource i have:

       'search.enable' => true,

        'search.base' => ['ou=Users,o=<LDAP dir>' ],

        'search.scope' => 'one',
        'search.attributes' => ['workforceID'],

        'search.filter' => '(employeeType=Emp*)', <--- this is where I'm a bit lost. If I skip this line things work like before, but whatever I put here makes the certificate login fail with "Unknown certificate"

Then, in saml20-idp-hosted.php I pick up a bunch of attributes with ldap:AttributeAddFromLDAP for the authenticated user, again using workforceID to search. There are other authsources that return workforceID that also use this.

It seems really close here...

Thanks

Bengt

[Tim van Dijen]

Hey Bengt,

Sorry for confusing you!  The authx509 module silently inserts a search filter `({uid_key}={user_identifier})`, so in order to combine this with your additional filter, you should set 'search.filter' => '(&({uid_key}={user_identifier})(employeeType=Emp*))' on the ldap-authsource.

Does this not work? Then maybe I have to take another look..  I was indeed quick and haven't tested anything..

- Tim

Op dinsdag 15 april 2025 om 15:31:28 UTC+2 schreef bengt.w...@gmail.com:

[Bengt Wällstedt]

Hi Tim!

Thanks! Now I got it right, and it works like a charm! I made a separate LDAP authsource for the authX509 module with this particular filter since when called from other places that filter throws an error. But easily fixed with an almost identical LDAP authsource that only the authX509 module uses.

Thanks again!

[Bengt Wällstedt]

Hi Tim!

Thanks a lot! Works like a charm!

Kind regards

Bengt