ldap authentication for selected web pages on a virtual server

Hello,

 

 

I'm using BIG-IP LTM as an authentication gateway to a web portal containing both restricted and publicly-accessible content.

 

 

All the content is stored on the same web server, and is published through a single LTM virtual server.

 

 

Credentials for accessing the portal's restricted areas are to be checked against an Active Directory LDAP server.

 

 

I need to modify the default _sys_auth_ldap iRule in order to suppress authentication for publicly accessible URIs. I tried with the following:

 

 

 

start orignal _sys_auth_ldap iRule

 

when CLIENT_ACCEPTED {

 

set tmm_auth_http_collect_count 0

 

array set tmm_auth_http_sids {ldap -1}

 

}

 

when HTTP_REQUEST {

 

added the following IF clauses to terminate iRule

 

when publicly accessible URIs are requested

 

if {[HTTP::uri] starts_with "/publicURI1"} {

 

log LOCAL0.Debug "no auth required!!"

 

return;

 

}

 

if {[HTTP::uri] starts_with "/publicURI2"} {

 

log LOCAL0.Debug "no auth required!!"

 

return;

 

}

 

End of modifications

 

Original iRule _sys_auth_ldap iRule follows...

 

 

set tmm_auth_sid $tmm_auth_http_sids(ldap)

 

if {$tmm_auth_sid == -1} {

 

set tmm_auth_sid [AUTH::start pam default_ldap]

 

array set tmm_auth_http_sids [list ldap $tmm_auth_sid]

 

}

 

AUTH::username_credential $tmm_auth_sid [HTTP::username]

 

AUTH::password_credential $tmm_auth_sid [HTTP::password]

 

AUTH::authenticate $tmm_auth_sid

 

if {$tmm_auth_http_collect_count == 0} {

 

HTTP::collect

 

set tmm_auth_http_successes 0

 

}

 

incr tmm_auth_http_collect_count

 

 

}

 

when AUTH_SUCCESS {

 

if {$tmm_auth_http_sids(ldap) eq [AUTH::last_event_session_id]} {

 

incr tmm_auth_http_successes

 

if {[info exists tmm_auth_http_sufficient_successes]} {

 

if {$tmm_auth_http_successes >=

 

$tmm_auth_http_sufficient_successes} {

 

foreach {type sid} [array get tmm_auth_http_sids] {

 

if {$type ne "ldap" && $sid ne -1} {

 

AUTH::abort $sid

 

array set tmm_auth_http_sids [list $type -1]

 

}

 

}

 

set tmm_auth_http_collect_count 0

 

HTTP::release

 

} else {

 

incr tmm_auth_http_collect_count -1

 

if {$tmm_auth_http_collect_count == 0} {

 

HTTP::respond 401

 

}

 

}

 

} else {

 

incr tmm_auth_http_collect_count -1

 

if {$tmm_auth_http_collect_count == 0} {

 

HTTP::release

 

}

 

}

 

}

 

}

 

when AUTH_FAILURE {

 

if {$tmm_auth_http_sids(ldap) eq [AUTH::last_event_session_id]} {

 

if {[llength [array names tmm_auth_http_sids]] > 1} {

 

if {[info exists tmm_auth_http_sufficient_successes]} {

 

incr tmm_auth_http_collect_count -1

 

if {$tmm_auth_http_collect_count == 0} {

 

HTTP::respond 401

 

}

 

} else {

 

foreach {type sid} [array get tmm_auth_http_sids] {

 

if {$type ne "ldap" && $sid ne -1} {

 

AUTH::abort $sid

 

array set tmm_auth_http_sids [list $type -1]

 

}

 

}

 

set tmm_auth_http_collect_count 0

 

HTTP::respond 401

 

}

 

} else {

 

set tmm_auth_http_collect_count 0

 

HTTP::respond 401

 

}

 

}

 

}

 

when AUTH_WANTCREDENTIAL {

 

if {$tmm_auth_http_sids(ldap) eq [AUTH::last_event_session_id]} {

 

if {[llength [array names tmm_auth_http_sids]] > 1} {

 

if {[info exists tmm_auth_http_sufficient_successes]} {

 

incr tmm_auth_http_collect_count -1

 

if {$tmm_auth_http_collect_count == 0} {

 

HTTP::respond 401

 

}

 

} else {

 

foreach {type sid} [array get tmm_auth_http_sids] {

 

if {$type ne "ldap" && $sid ne -1} {

 

AUTH::abort $sid

 

array set tmm_auth_http_sids [list $type -1]

 

}

 

}

 

set tmm_auth_http_collect_count 0

 

HTTP::respond 401

 

}

 

} else {

 

set tmm_auth_http_collect_count 0

 

HTTP::respond 401

 

}

 

}

 

}

 

when AUTH_ERROR {

 

if {$tmm_auth_http_sids(ldap) eq [AUTH::last_event_session_id]} {

 

if {[llength [array names tmm_auth_http_sids]] > 1} {

 

if {[info exists tmm_auth_http_sufficient_successes]} {

 

incr tmm_auth_http_collect_count -1

 

if {$tmm_auth_http_collect_count == 0} {

 

HTTP::respond 401

 

}

 

} else {

 

foreach {type sid} [array get tmm_auth_http_sids] {

 

if {$type ne "ldap" && $sid ne -1} {

 

AUTH::abort $sid

 

array set tmm_auth_http_sids [list $type -1]

 

}

 

}

 

set tmm_auth_http_collect_count 0

 

HTTP::respond 401

 

}

 

} else {

 

set tmm_auth_http_collect_count 0

 

HTTP::respond 401

 

}

 

}

 

}

 

 

This iRule SEEMS to work...at least if protected resources are accessed first by a user in a session. In fact, if a user accesses a public area first and then requests a protected resource, iRule evaluation fails and the LDAP authentication service becomes unavailable for ALL of the virtual servers.

 

 

I should add that all of the web pages are published over SSL (terminated by BIG-IP)

 

 

Any insight why?

 

Thanx,

 

 

federico