Forum Discussion
Blake_79204
Nimbostratus
NimbostratusiRule/APM Authentication and Authorization with ODBC
Hello, I'm not a developer at all and am pretty much brand new to F5, as well, so if my question is a bit ignorant I apologize in advance. We're converting from our existing authentication scheme to APM, and for the most part it's going well and making sense. We've got the access policy setup for most things to work by looking at LDAP, determining if the user appears there, and then finding out what attributes they have (we have 3 different LDAP instances, here's one example):
Populate and search windowsprod_ldap_memberof
if { $access_session == 1 && $windowsprod_authenticated == 1 } { set windowsprod_ldap_memberof [split [ACCESS::session data get session.ldap./Common/auth_windowsprod_ldap_act_ldap_query_1_ag.attr.memberOf] "\|," ] }
if { $windowsprod_ldap_memberof ne "" } { foreach item $windowsprod_ldap_memberof { set item [string tolower [string trim $item] ]
if { $item ne "" && [lsearch [string tolower $windowsprod_ldap_allow_memberof] $item] >= 0 } {
if { $static::debug == 1 } { log local0. "Found windowsprod memberof role: $item" }
if { $windowsprod_authenticated == 1 } { set user_authorized_for_app 1 } } } }
Then we can compare the groups a person is a memberof with groups allowed access to various apps and make a decision from there.
We have some access requirements that use ODBC and not LDAP.. Ideally, things would work in a similar fashion – user enters username and password and we look to see if they’re there and then look to see what attributes we have so that we can compare those attributes with the allowed attributes per app to say yea or nay. I don’t think we can do the query directly from ODBC. What I can do, though, is get the info from the ODBC connection to an HTTP page as text.
How then, can I use an iRule to read that text and compare with known values in a fashion similar to the LDAP example above?
Any help/feedback would be appreciated.
- Well, if you're already going to have the output on an HTTP page as text, then reading it is relatively easy. iRules has access to the payload of every HTTP response that goes through the box, so all you'd need to do is extract the info you're looking for. There are some good examples of this in the CodeShare, but it's pretty straight-forward.
HTTP::collect in the response to collect the info, run comparisons against HTTP::payload to get the content you're looking for, etc.
Collect - http://devcentral.f5.com/wiki/iRules.HTTP__collect.ashx
Payload - http://devcentral.f5.com/wiki/iRules.HTTP__payload.ashx
If you have specific questions or need help getting started I'm sure we can help with that. ;)
Colin 
Blake_79204Awesome - thank you. I figured it shouldn't be a difficult task, but I didn't know the syntax and was having a hard time finding it. I'll spend some time going through the links you provided, but based on your description that's exactly what I need.
Thanks for the quick response!- Sure thing, I hope it helps.
Colin - Blake_79204OK - making progress, but still stumped on an aspect of this.
As it stands, my APM iRule looks to see if there's an active session, and if so, how are you authenticated? Next, are you authorized to go to this uri? And finally, if so, we'll let you in and pass on your attributes as headers to the application.
If a user is authenticated against LDAP, and they are authorized for the requested URI, then I can grab their attributes from the LDAP query and pass them on to the application. Case-closed, no problem.
If a user is authenticating against ODBC, I have the authorization piece resolved using HTTP form in the VPE. I still need to gather their attributes to pass along to the application. Luckily, I can have these attributes waiting for me on an HTTP page as text, organized however I want. Using HTTP::Collect and HTTP::Payload, I can gather the data, manipulate it, and do what I need.
The stumper, for me, is that I cannot do the HTTP::Collect unless the ‘event when HTTP_Response’ happens first. How do I trigger this event without redirecting the original end user to this 'attribute page’? Essentially, how do I have my iRule go read the contents of an HTTP page without sending the original requestor there?
(As a side note, the help and topics available on DevCentral have been incredibly helpful – I’m feeling lucky to get the help I have.) - Blake_79204iRule love webcast makes me think I need to investigate sideband connections for this....
