Forum Discussion
LDAP attribute based LB
I am trying to create an iRule to do LDAP attribute based LB using v10.2.
An issue I am facing seems to obtain LDAP attribute in the iRule.
Below is sample script I created but "log local0," lines don't output any valuable characters in /var/log/ltm. And also value of 'log local0. "[array size [AUTH::response_data]]"' is always "0".
HTTP basic authentication with LDAP server works correctly by using auth profiles regardless of using this iRule. And additionally, according to tcpdump of server, LDAP server returns attributes to BIG-IP correctly.
Could you share with me if you have solution for this?
---------------
when RULE_INIT {
set tmm_auth_subscription "*"
}
when AUTH_RESULT {
array set auth_response_data [AUTH::response_data]
log local0. [AUTH::status]
log local0. "[array size [AUTH::response_data]]"
log local0. "[lindex [array get auth_response_data] 2]"
set ldap_group [lindex [array get auth_response_data ldap:attr:uid] 0]
log local0. "$ldap_group"
}
---------------
---------------
ltm auth ldap auth-ldap {
bind-dn cn=admin,dc=example,dc=com
bind-pw admin
bind-timeout 30
check-host-attr disabled
debug enabled
filter none
group-dn none
group-member-attribute none
idle-timeout 3600
ignore-auth-info-unavail no
ignore-unknown-user disabled
login-attribute none
partition Common
port ldap
scope sub
search-base-dn dc=example,dc=com
search-timeout 30
servers { 10.100.4.201 }
ssl disabled
ssl-ca-cert-file none
ssl-check-peer disabled
ssl-ciphers none
ssl-client-cert none
ssl-client-key none
user-template none
version 3
warnings enabled
}
---------------
hooleylistCirrostratus
Hi Takahiro,
I haven't looked much at the default auth rules in 10.2, but I think the issue might be that tmm_auth_subscription is being set in RULE_INIT. All variables declared in RULE_INIT will be global in scope. Can you change the iRule event from RULE_INIT to CLIENT_ACCEPTED:when CLIENT_ACCEPTED { set tmm_auth_subscription "*" }
From the /config/bigip_base.conf:
These auth profile default rules can be optionally configured to subscribe
to out-of-band auth response data (obtained via AUTH::response_data).
Subscriptions are enabled by setting the variable tmm_auth_subscription
prior to system auth rule invoking AUTH::start call, e.g.,
when CLIENT_ACCEPTED {
set tmm_auth_subscription "*"
}
It is recommended to set this variable to "*". Although the value of
tmm_auth_subscription is not used at this time, it is anticipated that
it will eventually be passed as a parameter to AUTH::subscribe once
that function supports subscription-matching based on regular expressions.
Aaron- It worked as expected since I made a change my iRule event to CLIENT_ACCEPTED from RULE_INIT. I didn't noticed to see bigip_base.conf....
Thank you very much.
Takahiro - hooleylistHi Takahiro,
This description is also listed on the AUTH::response_data wiki page. I updated the page to make it more clear that tmm_auth_subscription needs to be set as a local variable--not a global one.
Aaron
