[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: FW: isakmpd AND NOT policy
Angelos,
Thank you for the hints in the right direction.
However, I still cannot figure out the correct usage
of _ACTION_AUTHORIZERS :|
Could well be because i'm no regexp hero. Could you
point me to what is wrong in the next statement?
Conditions: app_domain == "IPsec policy"
&& esp_present == "yes"
&& _ACTION_AUTHORIZERS != "DN:/L=Den Haag/C=NL/OU=Roaming
User 001/Email=vissers@fox-it.com/CN=Roaming user
001/D=PGPKeyCreation=0x3b98b9da"
-> "true";
I think I use _ACTION_AUTHORIZERS the wrong way.
Regards,
Pepijn Vissers
> -----Oorspronkelijk bericht-----
> Van: Angelos D. Keromytis [mailto:angelos@cs.columbia.edu]
> Verzonden: donderdag 4 oktober 2001 17:36
> Aan: Pepijn Vissers
> CC: 'tech@openbsd.org'
> Onderwerp: Re: FW: isakmpd AND NOT policy
>
>
> In message
> <D58D3E1961C58043BD828065D12E49951D6D05@foxserver>, Pepijn Vissers w
> rites:
> >
> >142342.263902 Plcy 40 check_policy: adding authorizer [DN:/L=Den
> >Haag/C=NL/OU=Roaming User 001<snip>
> >
> >Normally, because this user has a CA-signed PGPkey, he would
> be able to
> >connect, because
> >all CA-signed certificates are authorized by "POLICY". I now
> want to exclude
> >users that
> >still have their CA-signed key, but should no longer be
> allowed to connect,
> >by matching
> >their DN to a 'blacklist'.
>
> Ah, ok. Yes, you can match against _ACTION_AUTHORIZERS
> (sorry, _AUTHORIZERS by
> itself is not right), but note that this user can delegate to
> another (fake)
> user and bypass the check, unless you've set the no-propagate
> (no-delegate) flag
> in their X.509 certificate.
> -Angelos