For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Baddogsettle_16's avatar
Baddogsettle_16
Icon for Nimbostratus rankNimbostratus
Mar 26, 2015

iRule to replace NetBIOS-Name with sAMAccountName

All,

 

I have an iOS app (qlikview 2.1) that is sometimes sending the NetBIOS-Name rather than the sAMAccountName. I am trying to create an iRule to check for this and do a replacement. I am receiving the following error when saving the iRule:

 

01070151:3: Rule [/Common/qlikview_username_fix] error: /Common/qlikview_username_fix:7: error: [wrong args][HTTP::username replace "$username" "$user"]

 

Has anyone done this and what am I doing wrong?

 

Here is my iRule: when HTTP_REQUEST {

 

if {[string tolower [HTTP::username]] starts_with "domainname"} { set username [string tolower [HTTP::username]] set user [getfield $username "/" 2] set domain [getfield $username "/" 1] HTTP::username replace $username $user} }

 

Thank you

 

application delivery
BIG-IP Access Policy Manager (APM)
devops
iRules
security

2 Replies

  • Michael_Jenkins's avatar
    Michael_Jenkins
    Icon for Cirrostratus rankCirrostratus
    Mar 26, 2015

    According to the wiki page for HTTP::username, it's a read-only command, so you can't update the username with that command. Here's spin off of what I've done in the past that may work for you:

    when HTTP_REQUEST {
    if { [HTTP::header exists "Authorization"] && [HTTP::header value "Authorization"] starts_with "Basic " } {
         Basic Authentication
        log local0. "  Authorization: [HTTP::header value "Authorization"]"
        log local0. "    Username: [HTTP::username]"
        log local0. "    Password: [HTTP::password]"

         Parse the username
        set user [getfield [string tolower [HTTP::username]] "\" 2]

         Recreate the Authorization header
        set newAuth "${user}:[HTTP::password]"
        set newAuthEnc [b64encode $newAuth]
        HTTP::header replace "Authorization" "Basic $newAuthEnc"

         Remove the variables
        unset newAuth
        unset newAuthEnc
        unset user
    }
}

    NOTE: I saw you were using 

    "/"
    in your 
    getfield
    command. Was that intentional or did you mean to user 
    "\"
    which is used for domain\username notation?

  • Baddogsettle_16's avatar
    Baddogsettle_16
    Icon for Nimbostratus rankNimbostratus
    Mar 26, 2015

    With the help from F5 support, I found a way to fix this in the VPE...I added a check to see if session.logon.last.username starts_with "domain":

     

    If true, do variable assign prior to AD auth: Custom Variable: session.logon.last.username Custom Expression: return [lindex [split [mcget {session.logon.last.username}] "/"] 1]

     

    If false, do AD auth.

     

    This seems to work.