getfield Parsing error

Most likely the problem is that the backslash character is an escape sequence (ie. \n for newline, \t for tab, etc). Try adding a second slash to your comparisons.

when HTTP_REQUEST { 
   set login_user [HTTP::header remote_user ] 
   if { $login_user contains "\\" } { 
     set ldap_user [getfield $login_user "\\" 2] 
     HTTP::header replace SAPUserID $ldap_user 
   } 
 }

Let me know if this doesn't work.

-Joe

What kind of authentication are you using?

 

 

I think the REMOTE_USER field you're referring to is a CGI variable--not an actual HTTP header. For basic auth, this is parsed from the Authorization header. The format for this header is:

 

 

Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==

 

 

Basic indicates the use of basic auth. The string after Basic is a base64 encoding of the username:password (Aladdin:open sesame, in this example).

 

 

You could use the HTTP::username command (Click here) to return the parsed and decoded username.

 

 

For details on basic auth you can check this wikipedia article:

 

http://en.wikipedia.org/wiki/Basic_access_authentication

 

 

Aaron

Aaron, somehow it doesn't even phase me that you know that from the top of your head that the base64 decoded string of "QWxhZGRpbjpvcGVuIHNlc2FtZQ==" is "Aladdin:open sesame" B-).

 

 

-Joe

Thanks for your quick response. Parsing error was resolved after adding another backslash. This is how the script looks like:

 

 

when HTTP_REQUEST {

 

set login_user [HTTP::header remote_user ]

 

if { $login_user contains "\\" } {

 

set ldap_user [getfield $login_user "\\" 2]

 

HTTP::header replace SAPUserID $ldap_user

 

}

 

}

 

 

The authentication that we are using is "Windows Integrated Authentication". Is there any command to get username directly without Domain name appended to it?

 

 

Thank you!

I see the AUTH_TYPE as "NTLM".

Is there anyway to get a CGI REMOTE_USER value into a variable in iRule?

NTLM is a bit more complicated than basic auth. The encoded username and domain is only included on type 3 messages. If the client uses the same connection for multiple HTTP requests, I think the type 3 message will only be sent on the first request/challenge/response exchange. So if you need to insert something from the username or domain in a custom HTTP header for every request, you might need to save the parsed username and manually insert it even if the authorization header isn't present for the current request.

 

 

Check this post for some references and options for parsing the Authorization header. If you read through the post and first link and still have questions, reply here.

 

 

Filter users authenticatiing via NTLM (MOSS) by domain name

 

http://devcentral.f5.com/Default.aspx?tabid=53&forumid=5&tpage=1&view=topic&postid=3455834634

 

 

NTLM Authentication Scheme for HTTP

 

http://www.innovation.ch/personal/ronald/ntlm.html

 

 

The NTLM Authentication Protocol and Security Support Provider

 

http://davenport.sourceforge.net/ntlm.html

 

 

Aaron

Actually, joelmoses added a very useful example iRule which parses NTLM auth headers by message type:

 

 

http://devcentral.f5.com/wiki/default.aspx/iRules/NTLM_logger.html

 

 

Aaron

Posted By Bhargav on 02/16/2010 9:30 AM

 

 

Is there anyway to get a CGI REMOTE_USER value into a variable in iRule?

 

 

 

It is my understanding that the value of the REMOTE_USER value is set by the webserver if authorization was required on the selected resource. You could get at the credentials in the request but I'm not sure you'd be able to decrypt them. For Basic auth, it's pretty straight forward but for others, I'm not so sure.

 

 

-Joe

Thanks Aaron for your input.

 

 

After navigating to one of the link, found the following but it is checking only for domain name, how do I get the username from it:

 

 

when HTTP_REQUEST {

 

Check for Authorization header value starting with NTLM before trying to parse the request.

 

if {[string tolower [HTTP::header Authorization]] starts_with "ntlm"}{

 

if { [b64decode [getfield [HTTP::header Authorization] " " 2]] matches_regex {([Tt].[Ee].[Ss].[Tt].[Dd].[Oo].[Mm].[Aa].[Ii].[Nn])} } {

 

HTTP::respond 200 content {

 

 

 

Apology Page

 

 

 

You are not allowed to authenticate as your user belongs to testdomain ...

 

 

 

}

 

}

 

}}