Forum Discussion
Luke_Drury_7634
Nimbostratus
NimbostratusIrule for Ldap auth based on URL syntax
Hi guys,
I am trying to replace some existing security functionality performed by an apache reverse proxy with some I-rules.
I am not sure if what I want to do is even possible....
Luke_Drury_7634Nimbostratus
NimbostratusHey Aaron
Thanks for that, much appreciated. :D
We have the module licensed now and have part of our configuration in place however we have one small problem.
We need to authenticate against multiple OU's within a LDAP directory.
Clients who try to access uri with a- can be authenticated off our staff OU while uri with a b- can be authenticated off the whole directory.
We are having trouble working out how to associate the two different authentication profiles? with the one virtual server, or utilising two authentication profiles within the one iRule.
Currently we have it authenticating with the b- using the following Irule, with an authentication profile pointing to the whole ldap tree.
How do we make it do this with the a- uri and the specific ldap OU?
when CLIENT_ACCEPTED {
set tmm_auth_ldap_sid [AUTH::start pam default_ldap]
}
when HTTP_REQUEST {
if {[HTTP::uri] contains "b-"} {
AUTH::username_credential $tmm_auth_ldap_sid [HTTP::username]
AUTH::password_credential $tmm_auth_ldap_sid [HTTP::password]
AUTH::authenticate $tmm_auth_ldap_sid
HTTP::collect
}
}
when AUTH_SUCCESS {
if {$tmm_auth_ldap_sid eq [AUTH::last_event_session_id]} {
HTTP::release
}
}
when AUTH_FAILURE {
if {$tmm_auth_ldap_sid eq [AUTH::last_event_session_id]} {
HTTP::respond 401
}
}
when AUTH_WANTCREDENTIAL {
if {$tmm_auth_ldap_sid eq [AUTH::last_event_session_id]} {
HTTP::respond 401
}
}
when AUTH_ERROR {
if {$tmm_auth_ldap_sid eq [AUTH::last_event_session_id]} {
HTTP::respond 401
}
}
