For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Seclab_Supporto's avatar
Seclab_Supporto
Icon for Nimbostratus rankNimbostratus
Jun 28, 2010

Intercept LDAP password expired

Hi all, I perform LDAP authentication with a custom iRule. I need to intercept when LDAP password has expired.... and then perform a redirect to an application to reset the password. Someone can hel...
application delivery
dev
devops
iRules
Seclab_Supporto's avatar
Seclab_Supporto
Icon for Nimbostratus rankNimbostratus
Jun 28, 2010
when CLIENT_ACCEPTED {
        set authinsck_ldap 0
        set forceauth_ldap 1
        set ckname_ldap xxxxx
        set ckpass_ldap xxxxx
        set ckvalue_ldap [IP::client_addr]
}


when HTTP_REQUEST {
      set ckdomain_ldap [HTTP::host]
  set asid_ldap [AUTH::start pam default_ldap]
        if {[HTTP::cookie exists $ckname_ldap]} {
                log  local0. "---> HTTEST Cookie esistente"
                HTTP::cookie decrypt $ckname_ldap $ckpass_ldap 128
log  local0. "---> HTTEST Cookie DECIFRATO"
                if {[HTTP::cookie value $ckname_ldap] eq $ckvalue_ldap} {
                   log  local0. "---> HTTEST Cookie valido"     
                   set forceauth_ldap 0
                   
                   Rimuovo Header Authorization con credenziali utente autenticato
                   set userHT_ldap [HTTP::username]
                   HTTP::header remove Authorization

                   Inserisco Header per Authentication offloading
                   HTTP::header insert Authorization "xxxxxxx"
                   HTTP::header insert iv-user xxxxxx
                   HTTP::header insert Via xxxxxxx
                
                }
else {
log  local0. "---> HTTEST Cookie esistente MA NON VALIDO"
}
                HTTP::cookie remove $ckname_ldap
        }
        else {
                log  local0. "---> HTTEST Cookie Inesistente"
        }
        if {$forceauth_ldap eq 1} {
LDAP Authentication
[log  local0. "---> HTTEST LDAP"
 AUTH::username_credential $asid_ldap [HTTP::username]
AUTH::password_credential $asid_ldap [HTTP::password]
AUTH::authenticate $asid_ldap
HTTP::collect
log  local0. "---> HTTEST Invio Richiesta LDAP"

        }
}
when HTTP_RESPONSE {
if { $ldap eq 1} {
        if {$authinsck_ldap eq 1} {
                HTTP::cookie insert name $ckname_ldap value $ckvalue_ldap path / domain $ckdomain_ldap
HTTP::cookie insert name $ckname_ldap value $ckvalue_ldap path / domain .xxxxxx.it
                HTTP::cookie secure $ckname_ldap enable
                HTTP::cookie encrypt $ckname_ldap $ckpass_ldap 128
                log  local0. "---> HTTEST Scrivo Cookie"
        }
}
}
when AUTH_SUCCESS {
if { $ldap eq 1} {
        if {$asid_ldap eq [AUTH::last_event_session_id]} {
set authinsck_ldap 1
HTTP::release
log  local0. "---> HTTEST SUCCESSO"
        }
}
}
when AUTH_FAILURE {
if { $ldap eq 1} {
if {$asid_ldap eq [AUTH::last_event_session_id]} {
HTTP::respond 401 "WWW-Authenticate" "Basic realm=\"\""
log  local0. "---> HTTEST FALLITO"

   }
}
}
when AUTH_WANTCREDENTIAL {
if { $ldap eq 1} {
if {$asid_ldap eq [AUTH::last_event_session_id]} {
   HTTP::respond 401 "WWW-Authenticate" "Basic realm=\"\""
   log  local0. "---> HTTEST WANT CRED"
   set ldap 0
   }
}
}
when AUTH_ERROR {
if { $ldap eq 1} {
if {$asid_ldap eq [AUTH::last_event_session_id]} {
   HTTP::respond 401
   log  local0. "---> HTTEST ERROR"
   }
}
}