Forum Discussion
Luke_Drury_7634
Nimbostratus
NimbostratusIrule for Ldap auth based on URL syntax
Hi guys,
I am trying to replace some existing security functionality performed by an apache reverse proxy with some I-rules.
I am not sure if what I want to do is even possible.....
Basicaly the site has its security based on the url of the virtual directories.
For example some will have an a- in the url while other have a b-
eg: http://blah.com.au/a-stuff/ or http://blah.com.au/b-stuff/
I need users who try to access the -a or -b directories to be propted for auth via an LDAP server. ie if they username is found in any of the LDAP OU's then let them access the page.
Is this something that can be done with I rules?
And if so how?
I realise that this will be basic auth and that security won't be good.
Many thanks in advance
Cheers,
Red.
hoolioCirrostratus
Hi Red,
Yes, what you're describing is possible, but it requires the Advanced Client Authentication module. You can find more technical information on AskF5 or on F5's main site (http://www.f5.com/pdf/white-papers/client-authentication-wp.pdf Click here).
You may or may not have this licensed already. You can check in the GUI under System | License. If not you can check with your account rep about pricing.
Aaron
Luke_Drury_7634Hey Aaron
Thanks for that, much appreciated. :D
We have the module licensed now and have part of our configuration in place however we have one small problem.
We need to authenticate against multiple OU's within a LDAP directory.
Clients who try to access uri with a- can be authenticated off our staff OU while uri with a b- can be authenticated off the whole directory.
We are having trouble working out how to associate the two different authentication profiles? with the one virtual server, or utilising two authentication profiles within the one iRule.
Currently we have it authenticating with the b- using the following Irule, with an authentication profile pointing to the whole ldap tree.
How do we make it do this with the a- uri and the specific ldap OU?
when CLIENT_ACCEPTED {
set tmm_auth_ldap_sid [AUTH::start pam default_ldap]
}
when HTTP_REQUEST {
if {[HTTP::uri] contains "b-"} {
AUTH::username_credential $tmm_auth_ldap_sid [HTTP::username]
AUTH::password_credential $tmm_auth_ldap_sid [HTTP::password]
AUTH::authenticate $tmm_auth_ldap_sid
HTTP::collect
}
}
when AUTH_SUCCESS {
if {$tmm_auth_ldap_sid eq [AUTH::last_event_session_id]} {
HTTP::release
}
}
when AUTH_FAILURE {
if {$tmm_auth_ldap_sid eq [AUTH::last_event_session_id]} {
HTTP::respond 401
}
}
when AUTH_WANTCREDENTIAL {
if {$tmm_auth_ldap_sid eq [AUTH::last_event_session_id]} {
HTTP::respond 401
}
}
when AUTH_ERROR {
if {$tmm_auth_ldap_sid eq [AUTH::last_event_session_id]} {
HTTP::respond 401
}
}- hoolioThanks for that. For posterity, could you post an anonymised copy of your VIP, profile and iRule config? You can list out the config using 'b virtual VIP_NAME list', 'b profile PROFILE_NAME list', etc.
Thanks,
Aaron 
fkuser_104673Hi there,
I'm trying to do something similar. One on my applications accept both "DNIe" and "FNMT" certificates to authenticate users. I need to use two different OCSP Responders to verify the certificates.
It's possible to switch between two different OCSP Responders? it doesn't matters how (switching the configuration of my autehntication profile, changing the OCSP responder of the configuration, etc.)
Did you used finally a similar solution, for your problem?- hoolioHi Stefan,
Sorry, I'm in the process of building a new home lab and I don't have an AD server running yet. If you don't get an answer here, I suggest opening a case with F5 Support. Hopefully, they'll be able to provide you with an example config. Example iRules aren't officially supported but they might be able to help.
Else, if you get stuck with that reply back here and I'll see what I can dig up.
Aaron - hoolioHi Stefan,
Thanks for posting your solution. I still don't have a working Windows AD VM set up yet!
By the way, the individual AUTH_ events have been deprecated in favor of a single event, AUTH_RESULT. You might want to update your iRule to use this event instead:
http://devcentral.f5.com/wiki/default.aspx/iRules/auth_result
Aaron - Stefan_Klotz
Cumulonimbus
Hi again,
in the meanwhile we have modified our ldap profile and included now the IP-address of an additional ldap-VS, which itself has the pool with the "real" ldap-servers assign.
My question now, is it possible to have an iRule in place for this ldap-VS, which can check the ldap-query and depending on it choose different pools (different ldap servers should be used for test- and prod-environment)? What event should I use? Any examples would be very nice.
As we are using the ACA module I'd like to avoid any modifications on all my authentication profiles and iRules (which are a lot) and therefor I had the idea to separate this directly on the ldap-VS, but then I realized that this VS don't have the information of the incoming URI like the HTTP-VS.
Thank you!
Ciao Stefan :)
