Forum Discussion
John_Masgalas_4
Nimbostratus
NimbostratusiRule modification - rdp
I currently use the below iRule with our Terminal Services pool. It strips everything after the "@" in the username so that the persistence entry is only the username. I would like to modify it so that usernames that are entered in the form "domain\username" are also entered in the table with just the username. In toehr words I weould like the iRule to strip out everything before the "/". How would I do this? Can someone help?
when CLIENT_ACCEPTED {
TCP::collect
}
when CLIENT_DATA {
TCP::collect 25
binary scan [TCP::payload] x11a* msrdp
log local0. "Contents after binary scan: $msrdp"
if { [string equal -nocase -length 17 $msrdp "cookie: mstshash="] } {
set msrdp [string range $msrdp 17 end]
set len [string first "\n" $msrdp]
if { $len == -1 } {
TCP::collect
return
}
if { $msrdp contains "@" } {
if { $len > 5 } {
incr len -1
log local0. "Data Persisting on: [getfield $msrdp "@" 1]"
persist uie [getfield $msrdp "@" 1] 10800
}
} else { persist uie $msrdp 10800}
}
TCP::release
}
17 Replies
John_Masgalas_4UnRuleY and citizen_elah were the ones that wrtoe the iRule for me so if you guys are still around can you help me out? Thanks!- JRahm
Admin
Yep, I'm still lurking...can you post some examples (sanitized) of the contents of msrdp immediately after the binary scan? - John_Masgalas_4here is whats in the ltm log:
Feb 2 13:36:29 tmm tmm[31729]: Rule sso_username : Contents after binary scan: Cookie: mstshash=jmasgalas
Feb 2 13:41:20 tmm tmm[31729]: Rule sso_username : Contents after binary scan: Cookie: mstshash=jmasgalas@Summithealth.local
Feb 2 13:41:20 tmm tmm[31729]: Rule sso_username : Data Persisting on: jmasgalas
Feb 2 14:23:09 tmm tmm[31729]: Rule sso_username : Contents after binary scan: Cookie: mstshash=CHBGHOSP\
Feb 2 14:23:33 tmm tmm[31729]: Rule sso_username : Contents after binary scan: Cookie: mstshash=danaip@Summithealth.local
Feb 2 14:23:33 tmm tmm[31729]: Rule sso_username : Data Persisting on: danaip
See how one of the entries stroes only chbghosp\. I want to strip that part so that we can get the username instead of the domain. Another issue we are having is that it persists usernames stripped of @summithealth.local as seperate entries than usernames entered with just the username. For example, if I log into a 2X thin client I am logged in as jmasgalas@summithealth.local. The iRule srtips it down to jmasgalas and created a persistence table entry. I then rdp to the VIP from my desktop which sends the username as jmasgalas. The F5 is creating two different persistence table entries names jmasgalas. If you need it I can send you the contents of the persistence table. - JRahmYou should be able to check for the presence of the backslash, and if present, split on it and take everything in the second field as your persistence value. If you just want the username, and not the @..., you could do a secondary split on the @ and keep the first field.
- John_Masgalas_4So I could do that in the same iRule? How would I do it. I'm not very good with iRules.
hoolioCirrostratus
If the string you're trying to parse can have three forms:
jmasgalas@example.local
EXAMPLE\jmasgalas
jmasgalas
You can use something like this to parse them down to the account name:if {$account contains "@"}{ set account [getfield $account "@" 1] } elseif {$account contains "\\"}{ Need to escape the backslash with a backslash set account [getfield $account "\\" 1] }
If I've missed the issue, let me know.
Thanks,
Aaron- John_Masgalas_4OK. So I took hoolio's idea and came up with the below iRule. However it strips everything after the \ instead of before. So a username of domain\username becomes domain.
when CLIENT_ACCEPTED {
TCP::collect
}
when CLIENT_DATA {
TCP::collect 25
binary scan [TCP::payload] x11a* msrdp
log local0. "Contents after binary scan: $msrdp"
if { [string equal -nocase -length 17 $msrdp "cookie: mstshash="] } {
set msrdp [string range $msrdp 17 end]
set len [string first "\n" $msrdp]
if { $len == -1 } {
TCP::collect
return
}
if { $msrdp contains "@" } {
if { $len > 5 } {
incr len -1
log local0. "Data Persisting on: [getfield $msrdp "@" 1]"
persist uie [getfield $msrdp "@" 1] 10800
}
}
if { $msrdp contains "\\" } {
if { $len > 5 } {
incr len -1
log local0. "Data Persisting on: [getfield $msrdp "\\" 1]"
persist uie [getfield $msrdp "\\" 1] 10800
}
} else { persist uie $msrdp 10800}
}
TCP::release
} - hoolioCan you log the $msrdp value before you modify it?
if { [string equal -nocase -length 17 $msrdp "cookie: mstshash="] } {
->if { [string equal -nocase -length 17 $msrdp "cookie: mstshash="] } { log local0. "\$msrdp: $msrdp"
Aaron - John_Masgalas_4It does log it after the scan. Adding the log command just duplicates it. It does correctly recognize the usernames.
- John_Masgalas_4Here is the output of the other versions of the username input.
Logging in with username@domain.local:
Feb 6 09:57:59 tmm tmm[31729]: Rule ssotest : Contents after binary scan: Cookie: mstshash=nursetest@summithealth.local
Feb 6 09:57:59 tmm tmm[31729]: Rule ssotest : Data Persisting on: nursetest
Logging in with just the username:
Feb 6 09:59:28 tmm tmm[31729]: Rule ssotest : Contents after binary scan: Cookie: mstshash=nursetest
