Forum Discussion
Seclab_Supporto
Nimbostratus
NimbostratusIntercept LDAP password expired
Hi all,
I perform LDAP authentication with a custom iRule.
I need to intercept when LDAP password has expired.... and then perform a redirect to an application to reset the password.
Someone can help me?
Thanks,
Salvatore
21 Replies
hoolioCirrostratus
Hi Salvatore,
Can you post the existing iRule you're using? Is this LDAP auth for an HTTP(S) application? Which LTM version are you running? Are you wanting to proxy the password reset attempt to another server or, if it is HTTP, send the client a redirect?
Aaron
Seclab_SupportoHi Aron, thanks for your quick replay.
Can you post the existing iRule you're using? YES, JUST A MOMENT TO OBSCURE SENSITIVE INFORMATION
Is this LDAP auth for an HTTP(S) application? HTTP APPLICATION
Which LTM version are you running? 10.1.0
Are you wanting to proxy the password reset attempt to another server or, if it is HTTP, send the client a redirect? WHEN PASSWORD EXPIRED I WANT REDIRECT THE CLIENT TO ANOTHER HTTP APPLICATION WHERE THE USER CAN CANGHE ITS PASSWORD
I NEED ONLY TO INTERCEPT THE RESPONSE OF LDAP SERVER THAT CONTAIN THE ERROR.
Thanks!!!
Salvatore- Seclab_SupportoI can't attach as a .txt or .zip the iRule. If I copy and paste it is not readable.
I can send you by email, if you prefer.
Thank - hoolioCan you post the iRule in [ code ] [ /code ] blocks (without the spaces) to preserve the formatting?
Thanks, Aaron - Seclab_Supporto
when CLIENT_ACCEPTED { set authinsck_ldap 0 set forceauth_ldap 1 set ckname_ldap xxxxx set ckpass_ldap xxxxx set ckvalue_ldap [IP::client_addr] } when HTTP_REQUEST { set ckdomain_ldap [HTTP::host] set asid_ldap [AUTH::start pam default_ldap] if {[HTTP::cookie exists $ckname_ldap]} { log local0. "---> HTTEST Cookie esistente" HTTP::cookie decrypt $ckname_ldap $ckpass_ldap 128 log local0. "---> HTTEST Cookie DECIFRATO" if {[HTTP::cookie value $ckname_ldap] eq $ckvalue_ldap} { log local0. "---> HTTEST Cookie valido" set forceauth_ldap 0 Rimuovo Header Authorization con credenziali utente autenticato set userHT_ldap [HTTP::username] HTTP::header remove Authorization Inserisco Header per Authentication offloading HTTP::header insert Authorization "xxxxxxx" HTTP::header insert iv-user xxxxxx HTTP::header insert Via xxxxxxx } else { log local0. "---> HTTEST Cookie esistente MA NON VALIDO" } HTTP::cookie remove $ckname_ldap } else { log local0. "---> HTTEST Cookie Inesistente" } if {$forceauth_ldap eq 1} { LDAP Authentication [log local0. "---> HTTEST LDAP" AUTH::username_credential $asid_ldap [HTTP::username] AUTH::password_credential $asid_ldap [HTTP::password] AUTH::authenticate $asid_ldap HTTP::collect log local0. "---> HTTEST Invio Richiesta LDAP" } } when HTTP_RESPONSE { if { $ldap eq 1} { if {$authinsck_ldap eq 1} { HTTP::cookie insert name $ckname_ldap value $ckvalue_ldap path / domain $ckdomain_ldap HTTP::cookie insert name $ckname_ldap value $ckvalue_ldap path / domain .xxxxxx.it HTTP::cookie secure $ckname_ldap enable HTTP::cookie encrypt $ckname_ldap $ckpass_ldap 128 log local0. "---> HTTEST Scrivo Cookie" } } } when AUTH_SUCCESS { if { $ldap eq 1} { if {$asid_ldap eq [AUTH::last_event_session_id]} { set authinsck_ldap 1 HTTP::release log local0. "---> HTTEST SUCCESSO" } } } when AUTH_FAILURE { if { $ldap eq 1} { if {$asid_ldap eq [AUTH::last_event_session_id]} { HTTP::respond 401 "WWW-Authenticate" "Basic realm=\"\"" log local0. "---> HTTEST FALLITO" } } } when AUTH_WANTCREDENTIAL { if { $ldap eq 1} { if {$asid_ldap eq [AUTH::last_event_session_id]} { HTTP::respond 401 "WWW-Authenticate" "Basic realm=\"\"" log local0. "---> HTTEST WANT CRED" set ldap 0 } } } when AUTH_ERROR { if { $ldap eq 1} { if {$asid_ldap eq [AUTH::last_event_session_id]} { HTTP::respond 401 log local0. "---> HTTEST ERROR" } } } - hoolioThe PAM API (which LTM uses for remote auth) seems to support an account expired message, but I'm not sure if this detail is provided by LTM. Also, you're using deprecated events for the AUTH result. In 9.4, AUTH_RESULT deprecated AUTH_SUCCESS, AUTH_FAILURE, AUTH_ERROR, and AUTH_WANTCREDENTIAL. See the wiki page for details:
http://devcentral.f5.com/wiki/default.aspx/iRules/AUTH_RESULT.html
PAM API details:
http://docs.sun.com/app/docs/doc/817-0699/6mgfuai9e?a=view
PAM_ACCT_EXPIRED - User account has expired
Can you replace all of the AUTH events in your rule with AUTH_RESULT and log the output from AUTH::response_data using a loop through the array? Can you then test with an expired account and see if LTM provides any info that can be used to determine whether the account is expired?
Here's an example you can use to log the auth response data:Save the response data to an array array set auth_response_data [AUTH::response_data] Loop through the array and print out the names and values foreach name [array names $auth_response_data] { log local0. "$name = $auth_response_data($name)" }
Aaron - Seclab_SupportoHi Aron,
I read that Auth::response_data will not return data if the authentication fails. See the following link:
http://devcentral.f5.com/wiki/default.aspx/iRules/AUTH__response_data.html
By the way, I will try to log the auth response data.
Thanks,
Salvatore - hoolioYeah, I read that and got some related info from F5 a while back. But I wasn't sure if the page is accurate or whether it means the server couldn't be contacted or the authentication attempt failed. Anyhow, if you try testing, can you reply with the results?
Thanks, Aaron - Seclab_SupportoI'm tring but I have some problems to log array ....
- can't read "auth_response_data": variable is array while executing "array names $auth_response_data"
Sorry but I never use array in TCL
Thanks - hoolioNo problem. Can you remove the $ from the array name?
if {[AUTH::response_data] ne ""}{ Save the response data to an array array set auth_response_data [AUTH::response_data] Loop through the array and print out the names and values foreach name [array names auth_response_data] { log local0. "$name = $auth_response_data($name)" } } else { log local0. "\[AUTH::response_data\] is null" }
Aaron
