Forum Discussion
refra_151287
Cirrus
CirrusForm-Based Authentication with LDAP
Hello, I configured LDAP to authenticate users want to access specific Virtual server, but the authentication was windows based, so I'm looking for an irule to accomplish the form-based authentication based on the LDAP configuration I previously did. any ideas, Thanks in advance,
3 Replies
Telnet_178675Nimbostratus
Hi Any News
refra_151287I found the following Link, it seems fine, but I'm suffering deploying it:
https://devcentral.f5.com/codeshare/client-auth-using-html-forms
- refra_151287
Hi all,
I faced the following error, when I tried to deploy the form based authentication from this link:
err tmm[14071]: 01220001:3: TCL error: /Common/Form_based_authentication - can't read "::loginForm_class": no such variable while executing "lindex $::loginForm_class 0"Data-Group Configuration:
(tmos) list sys file data-group loginForm_class sys file data-group loginForm_class { checksum SHA1:1379:69a356ed3b468884c8d7baf94cdd11edc5d473dd create-time 2015-06-17:14:57:07 created-by root last-update-time 2015-06-17:14:57:07 mode 33152 revision 1 size 1379 source-path file:/var/class/loginForm.class type string updated-by root } (tmos) list ltm data-group external ltm data-group external loginForm_class { external-file-name loginForm_class type string }Form-based authentication iRule NOTE: The loginForm.class is just a base64 encoded HTML page which is then wrapped in "quotes". A sample is included at the bottom of this page.
when RULE_INIT { set ::aeskey [AES::key 128] } when CLIENT_ACCEPTED { set forceauth 1 set auth_status 2 set ckname BIGIP_AUTH set ckpass myPassword set asid [AUTH::start pam default_ldap] } when HTTP_REQUEST { if { [HTTP::path] starts_with "/user_login" } { Private URI, Auth Required if { [HTTP::cookie exists $ckname] } { set cookie_payload [HTTP::cookie value $ckname] set decryptedCookie [AES::decrypt $::aeskey [b64decode $cookie_payload ]] if { not ( $decryptedCookie equals "" ) } { log local0. "Decrypted Cookie=$decryptedCookie" retrieve the auth status from the session table set auth_status [session lookup uie $decryptedCookie] } If the auth status is 0 then the user is authenticated if { $auth_status eq 0 } { Cookie Decrypted & Session Auth valid set forceauth 0 } } if {$forceauth eq 1} { set orig_uri [b64encode [HTTP::uri]] HTTP::redirect "/Login_form?req=$orig_uri" } } else { If the user is re-directed to the login form then serve the login form from the BigIP if { [HTTP::path] starts_with "/Login_form" && [HTTP::method] equals "GET" } { Retrieve the login form from a base64 encoded external class file set login_form [b64decode [lindex $::loginForm_class 0]] HTTP::respond 200 content $login_form "Content-Type" "text/html" } elseif { [HTTP::path] starts_with "/Login_form" && [HTTP::method] equals "POST" } { Process the login form and auth the user Decode the original URI from the req parameter so we can re-direct to the original URI on sucessful auth set orig_uri [ b64decode [URI::query [HTTP::request] "req" ] ] HTTP::collect [HTTP::header Content-Length] } } } when HTTP_REQUEST_DATA { set namevals [split [HTTP::payload] "&"] Break out the POST data for username and password values for {set i 0} {$i < [llength $namevals]} {incr i} { set params [split [lindex $namevals $i] "="] if { [lindex $params 0] equals "username" } { set auth_username [lindex $params 1] } if { [lindex $params 0] equals "password" } { set auth_password [lindex $params 1] } } AUTH::username_credential $asid $auth_username AUTH::password_credential $asid $auth_password AUTH::authenticate $asid HTTP::collect } when AUTH_SUCCESS { if {$asid eq [AUTH::last_event_session_id]} { Now the user has authenticated lets give them an encrypted cookie with their authID We'll also add the AUTH::status to a session entry with the authID as the key We can then re-direct the user to the page they originally asked for set authStatus [AUTH::status $asid] session add uie $asid $authStatus 1800 set encrypted_asid [b64encode [AES::encrypt $::aeskey $asid]] set authcookie [format "%s=%s; path=/; " $ckname $encrypted_asid ] HTTP::respond 302 Location $orig_uri "Set-Cookie" $authcookie } } when AUTH_FAILURE { if {$asid eq [AUTH::last_event_session_id]} { HTTP::respond 200 content "Authentication Failed" } } when AUTH_WANTCREDENTIAL { if {$asid eq [AUTH::last_event_session_id]} { HTTP::respond 200 content "Authentication Credentials not provided" } } when AUTH_ERROR { if {$asid eq [AUTH::last_event_session_id]} { HTTP::respond 200 content "Authentication Error" } }and applied the iRule at the ldap authentication profile.:loginForm_class and of course added the "loginForm" in the path /var/class/loginForm.class
