Forum Discussion

refra_151287's avatar
refra_151287
Icon for Cirrus rankCirrus
Jun 17, 2015

Hi all,

I faced the following error, when I tried to deploy the form based authentication from this link:

err tmm[14071]: 01220001:3: TCL error: /Common/Form_based_authentication  - can't read "::loginForm_class": no such variable     while executing "lindex $::loginForm_class 0"

Data-Group Configuration:

(tmos) list sys file data-group loginForm_class
sys file data-group loginForm_class {
    checksum SHA1:1379:69a356ed3b468884c8d7baf94cdd11edc5d473dd
    create-time 2015-06-17:14:57:07
    created-by root
    last-update-time 2015-06-17:14:57:07
    mode 33152
    revision 1
    size 1379
    source-path file:/var/class/loginForm.class
    type string
    updated-by root
}

(tmos) list ltm data-group external
ltm data-group external loginForm_class {
    external-file-name loginForm_class
    type string
}

Form-based authentication iRule NOTE: The loginForm.class is just a base64 encoded HTML page which is then wrapped in "quotes". A sample is included at the bottom of this page.

when RULE_INIT {
  set ::aeskey [AES::key 128]
} 

when CLIENT_ACCEPTED {
  set forceauth 1
  set auth_status 2
  set ckname BIGIP_AUTH
  set ckpass myPassword
  set asid [AUTH::start pam default_ldap]
}

when HTTP_REQUEST {
  if {  [HTTP::path] starts_with "/user_login"  } {
     Private URI, Auth Required
    if { [HTTP::cookie exists $ckname] } {
      set cookie_payload [HTTP::cookie value $ckname]
      set decryptedCookie [AES::decrypt $::aeskey [b64decode $cookie_payload ]]
      if { not ( $decryptedCookie equals "" ) } {
        log local0. "Decrypted Cookie=$decryptedCookie"
         retrieve the auth status from the session table
        set auth_status [session lookup uie $decryptedCookie]
      }
       If the auth status is 0 then the user is authenticated
      if { $auth_status eq 0 } {
        Cookie Decrypted & Session Auth valid 
        set forceauth 0
      }
    }
    if {$forceauth eq 1} {
      set orig_uri [b64encode [HTTP::uri]]
      HTTP::redirect "/Login_form?req=$orig_uri"
    }
  } else {
     If the user is re-directed to the login form then serve the login form from the BigIP
    if { [HTTP::path] starts_with "/Login_form" && [HTTP::method] equals "GET" } {
       Retrieve the login form from a base64 encoded external class file
      set login_form [b64decode [lindex $::loginForm_class 0]]
      HTTP::respond 200 content $login_form "Content-Type" "text/html"
    } elseif { [HTTP::path] starts_with "/Login_form" && [HTTP::method] equals "POST" } {
       Process the login form and auth the user
       Decode the original URI from the req parameter so we can re-direct to the original
       URI on sucessful auth
      set orig_uri [ b64decode [URI::query [HTTP::request] "req" ] ] 
      HTTP::collect [HTTP::header Content-Length]
    }
  }
}
when HTTP_REQUEST_DATA {
  set namevals [split [HTTP::payload] "&"]
   Break out the POST data for username and password values
  for {set i 0} {$i < [llength $namevals]} {incr i} {
    set params [split [lindex $namevals $i] "="]
    if { [lindex $params 0] equals "username" } {
      set auth_username [lindex $params 1]
    }
    if { [lindex $params 0] equals "password" } {
      set auth_password [lindex $params 1]
    }
  }
  AUTH::username_credential $asid $auth_username
  AUTH::password_credential $asid $auth_password
  AUTH::authenticate $asid
  HTTP::collect
}

when AUTH_SUCCESS {
  if {$asid eq [AUTH::last_event_session_id]} {

     Now the user has authenticated lets give them an encrypted cookie with their authID
     We'll also add the AUTH::status to a session entry with the authID as the key
     We can then re-direct the user to the page they originally asked for
    set authStatus [AUTH::status $asid] 
    session add uie $asid $authStatus 1800
    set encrypted_asid [b64encode [AES::encrypt $::aeskey $asid]]
    set authcookie [format "%s=%s; path=/; " $ckname $encrypted_asid ]
    HTTP::respond 302 Location $orig_uri "Set-Cookie" $authcookie
  }
}

when AUTH_FAILURE {
  if {$asid eq [AUTH::last_event_session_id]} {
           HTTP::respond 200 content "Authentication Failed" 
  }
}

when AUTH_WANTCREDENTIAL {
  if {$asid eq [AUTH::last_event_session_id]} {
           HTTP::respond 200 content "Authentication Credentials not provided"
  }
}

when AUTH_ERROR {
  if {$asid eq [AUTH::last_event_session_id]} {
  HTTP::respond 200 content "Authentication Error"
  }
}

and applied the iRule at the ldap authentication profile.:loginForm_class and of course added the "loginForm" in the path /var/class/loginForm.class