Forum Discussion

gpoverland's avatar
Icon for Nimbostratus rankNimbostratus
Jun 18, 2012

iRULE Help with LDAP, HTTP Cookie, OCSP, etc...

Ok, In all fairness, this one is beyond my current knowledge of iRULE writting, so if your feeling generous, please give it a go. I am will will to try, so if you have suggestions, I'm all ears.



I am trying to create an iRULE that does certain things.



1. I want to verify that an X.509 Cert exists and collect the CN= value from the cert


2. I want to look at a specific pool of servers and determine if they are available, if not send a redirect for another URL


3. Utilize the CAC CN= value gathered above to the query an LDAP VIP for a value


4. Insert the LDAP Value into a cookie


5. Pass the request to a pool based on the value of the uri string



Here is some preliminary code that I am working from. If anyone has any thoughts on the LDAP section or an idea on how to better organize this, please let me know. Thanks, all advice is welcome.





Here is what we are trying to do:


1. Verify X.509 Cert exists and collect CN= value


2. Sends a 302 Redirect (pointing at COOP VIP) response to Client Browser if Pool is not available


3. Utilize CAC CN={Subject} and LDAP VIP for LDAP Query – Returns Attribute


4. Creates Cookie USERCOOKIE and inserts DN={ldap Attribute}


5. Performs URI based Pool Mapping



Begin iRULE





Step 1 Chevk for X.509 Cert


if {[SSL::cert 0] eq ""}{


Reset the connection




} else {



Example Subject CN: CN=Lastname.Firstname.Middlename.10digitnumber, OU=Somevalue, OU=XYZ, O=U.S. Government, C=US


set subject_CN [X509::subject [SSL::cert 0]]


log "Client Certificate Received: $subject_cn"


Check if the client certificate contains the correct DN from the list


if {($subject_CN contains $::mil) } {


Accept the client cert


log "Client Certificate Accepted: $subject_CN "


} else {


log "No Matching Client Certificate Was Found Using: $subject_CN "










End Step 1





Step 2 Checks Status of Pool Members and sends redirect if none are available


if { [active_members [LB::server pool]] == 0 } {


HTTP::redirect "http://SOMEVIP





Step 3


LDAP Query


Query {LDAP VIP} ldapsearch -v -h `hostname` -p 389 -D "cn=adminuser" -w "adminpassword" -b "" -s sub uid={firstname.middleinitial.lastname}otableval


Response: This is what will be returned


ldapsearch: started Fri Jun 8 19:28:13 2012


ldap_init( udea8026v032, 389 )


filter pattern: uid=fname.m.lname


returning: otableval


filter is: (uid=fname.m.lname)


version: 1


dn: cn=fname.m.lname,cn=users, ou=xyz,ou=abc,ou=tnt,o=something,c=us


otableval: fname.m.lname.12324252627


1 matches


Need to set a variable called subjectDN to the highlighted text above





Step 4


Check if cookie exists in request


   if { [HTTP::cookie exists "USERCOOKIE"] } {
   log " $subject_CN has USERCOOKIE"

} else {


  HTTP::cookie insert name "USERCOOKIE" value [HTTP::cookie value "$subject_DN "]

log " $subject_CN added USERCOOKIE"




Step 5 Makes Pool Selection based on URI


Forces URI to lower case


if { [string tolower [HTTP::path]] equals "/OCSURISTRING" } {
        pool OCSPOOLNAME
   else {




Logs Server Connections




log local0. "User $subject_CN connected from [IP::client_addr]:[TCP::client_port] to server: [IP::server_addr]:[TCP::server_port] established."






No RepliesBe the first to reply