Forum Discussion

Brian_Buddemeye's avatar
Brian_Buddemeye
Icon for Nimbostratus rankNimbostratus
Jul 19, 2007

default LDAP rule modification - how to parse Domain Name

I'm working in an environment right now where we are implementing the ACA module on an LTM running 9.4.1 to offload Active Directory authentication.

 

 

The trouble I'm running into is that the back-end servers expect credentials in the form of "domain_name\username". Using the default LDAP rule, the LTM can not successfully query the directory if the user enters his credentials in that form. If the user just enters his username, the LTM is able to query the directory and get his authorization info, but when it passes that on to the back-end server, the back end server returns a 401 error because it is expecting

 

"domain_name\username" and just receiving "username".

 

 

Is there a modification to the default LDAP authentication rule that I can make to either strip the domain name from the text the user enters and re-insert it when passing the credentials to the back end server or just to add the domain name and slash before passing the credentials to the back end (though this way would require user re-training...)

 

 

Thanks in advance!
application delivery
dev
devops
iRules
  • Carl_Gottlieb_1's avatar
    Carl_Gottlieb_1
    Icon for Nimbostratus rankNimbostratus
    Dec 06, 2007
    Hi Guys,

     

    I have the same requirement with a customer on 9.4.3. Authentication works fine with the default ldap irule but they require domain\username also. Has anyone seen any pre canned irules in this area?

     

    thanks

     

    Carl
  • Brian_Buddemeye's avatar
    Brian_Buddemeye
    Icon for Nimbostratus rankNimbostratus
    Dec 06, 2007
    I was able to get this working in my instance, with a little help. Here is the change that needed to be made to the default LDAP auth rule:

     

     

    Try replacing:

     

    AUTH::username_credential $tmm_auth_sid [HTTP::username]

     

     

    With:

     

    AUTH::username_credential $tmm_auth_sid [getfield [HTTP::username] "\\" 2]
  • matt_wheeler_11's avatar
    matt_wheeler_11
    Historic F5 Account
    Dec 11, 2007
    I have a similar problem but my customer would like to have the users just enter username and password. I was wondering if you have seen any examples where we can insert the domain name on the post? Thanks for the help.
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Dec 11, 2007
    Could you just hardcode the domain?

     

     

    AUTH::username_credential $tmm_auth_sid "somedomain\\[HTTP::username]"

     

     

    Aaron
  • matt_wheeler_11's avatar
    matt_wheeler_11
    Historic F5 Account
    Dec 19, 2007
    Do anyone know if I need to have the Authentication Module in order to make this solution work?
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Dec 19, 2007
    I'm pretty sure use of the AUTH:: commands requires the advanced auth module.

     

     

    Aaron