For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Robert_Decker_2's avatar
Robert_Decker_2
Icon for Nimbostratus rankNimbostratus
Feb 01, 2006

Authenticate customer using SSL client certificate or LDAP

I was wondering if anyone could show me how to perform multiple methods of authentication within an Irule. I would like to use ssl authentication against a client certificate as the first method, how...
application delivery
dev
devops
iRules
Robert_Decker_2's avatar
Robert_Decker_2
Icon for Nimbostratus rankNimbostratus
Feb 27, 2006
Thank you both for your help! I think I am slowly starting to understand the global variable thing. It seems like any certificate will pass the ssl portion, even if it is not supposed to. Other than that, it seems to be doing what I would like it to at this point. First, I am prompted for ssl certificate. I can then cancel out and use LDAP. Could you guys point out what I am doing wrong with regards to the SSL certificate? In addition, how would I redirect a failed LDAP connection to a custom web page? Currently, IE displays a blank page when I fail the LDAP connection.

 

 

Thanks again,

 

Rob

 

 

 

when CLIENT_ACCEPTED {

 

set tmm_auth_http_collect_count 0

 

array set tmm_auth_http_sids {ldap -1}

 

}

 

 

 

 

when CLIENTSSL_HANDSHAKE {

 

set cur [SSL::sessionid]

 

set ask [session lookup ssl $cur]

 

log local0. "ask equals $ask"

 

if { $ask eq "" } { session add ssl [SSL::sessionid] [SSL::cert 0] }

 

log local0. "ask equals $ask"}

 

 

 

when HTTP_REQUEST {

 

set id [SSL::sessionid]

 

set the_cert [session lookup ssl $id]

 

if { $the_cert != ""} {

 

HTTP::header insert SSLClientCertSubject [X509::subject $the_cert]

 

HTTP::header insert SSLClientCertIssuer [X509::issuer $the_cert]

 

HTTP::header insert SSLClientCertValidFrom [X509::not_valid_before $the_cert]

 

HTTP::header insert SSLClientCertValidUntil [X509::not_valid_after $the_cert]

 

HTTP::header insert SSLClientCert [b64encode $the_cert]

 

}

 

elseif { ! [info exists has_client_cert] } {

 

 

set tmm_auth_sid $tmm_auth_http_sids(ldap)

 

if {$tmm_auth_sid == -1} {

 

set tmm_auth_sid [AUTH::start pam default_ldap]

 

array set tmm_auth_http_sids [list ldap $tmm_auth_sid]

 

}

 

AUTH::username_credential $tmm_auth_sid [HTTP::username]

 

AUTH::password_credential $tmm_auth_sid [HTTP::password]

 

AUTH::authenticate $tmm_auth_sid

 

if {$tmm_auth_http_collect_count == 0} {

 

HTTP::collect

 

set tmm_auth_http_successes 0

 

}

 

incr tmm_auth_http_collect_count

 

}

 

}

 

when AUTH_SUCCESS {

 

if {$tmm_auth_http_sids(ldap) eq [AUTH::last_event_session_id]} {

 

incr tmm_auth_http_successes

 

if {[info exists tmm_auth_http_sufficient_successes]} {

 

if {$tmm_auth_http_successes >=

 

$tmm_auth_http_sufficient_successes} {

 

foreach {type sid} [array get tmm_auth_http_sids] {

 

if {$type ne "ldap" && $sid ne -1} {

 

AUTH::abort $sid

 

array set tmm_auth_http_sids [list $type -1]

 

}

 

}

 

set tmm_auth_http_collect_count 0

 

HTTP::release

 

} else {

 

incr tmm_auth_http_collect_count -1

 

if {$tmm_auth_http_collect_count == 0} {

 

HTTP::respond 401

 

}

 

}

 

} else {

 

incr tmm_auth_http_collect_count -1

 

if {$tmm_auth_http_collect_count == 0} {

 

HTTP::release

 

}

 

}

 

}

 

}

 

when AUTH_FAILURE {

 

if {$tmm_auth_http_sids(ldap) eq [AUTH::last_event_session_id]} {

 

if {[llength [array names tmm_auth_http_sids]] > 1} {

 

if {[info exists tmm_auth_http_sufficient_successes]} {

 

incr tmm_auth_http_collect_count -1

 

if {$tmm_auth_http_collect_count == 0} {

 

HTTP::respond 401

 

}

 

} else {

 

foreach {type sid} [array get tmm_auth_http_sids] {

 

if {$type ne "ldap" && $sid ne -1} {

 

AUTH::abort $sid

 

array set tmm_auth_http_sids [list $type -1]

 

}

 

}

 

set tmm_auth_http_collect_count 0

 

HTTP::respond 401

 

}

 

} else {

 

set tmm_auth_http_collect_count 0

 

HTTP::respond 401

 

}

 

}

 

}

 

when AUTH_WANTCREDENTIAL {

 

if {$tmm_auth_http_sids(ldap) eq [AUTH::last_event_session_id]} {

 

if {[llength [array names tmm_auth_http_sids]] > 1} {

 

if {[info exists tmm_auth_http_sufficient_successes]} {

 

incr tmm_auth_http_collect_count -1

 

if {$tmm_auth_http_collect_count == 0} {

 

HTTP::respond 401

 

}

 

} else {

 

foreach {type sid} [array get tmm_auth_http_sids] {

 

if {$type ne "ldap" && $sid ne -1} {

 

AUTH::abort $sid

 

array set tmm_auth_http_sids [list $type -1]

 

}

 

}

 

set tmm_auth_http_collect_count 0

 

HTTP::respond 401

 

}

 

} else {

 

set tmm_auth_http_collect_count 0

 

HTTP::respond 401

 

}

 

}

 

}

 

when AUTH_ERROR {

 

if {$tmm_auth_http_sids(ldap) eq [AUTH::last_event_session_id]} {

 

if {[llength [array names tmm_auth_http_sids]] > 1} {

 

if {[info exists tmm_auth_http_sufficient_successes]} {

 

incr tmm_auth_http_collect_count -1

 

if {$tmm_auth_http_collect_count == 0} {

 

HTTP::respond 401

 

}

 

} else {

 

foreach {type sid} [array get tmm_auth_http_sids] {

 

if {$type ne "ldap" && $sid ne -1} {

 

AUTH::abort $sid

 

array set tmm_auth_http_sids [list $type -1]

 

}

 

}

 

set tmm_auth_http_collect_count 0

 

HTTP::respond 401

 

}

 

} else {

 

set tmm_auth_http_collect_count 0

 

HTTP::respond 401

 

}

 

}

 

}