For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Moe_Jartin's avatar
Moe_Jartin
Icon for Cirrus rankCirrus
May 26, 2010

LDAP Authentication iRule... HELP

I am trying to write an iRule for an LDAP authentication profile. The irule will take the value of a cookie from every request and use it as the username AND password for which it will then validate ...
application delivery
dev
devops
iRules
Moe_Jartin's avatar
Moe_Jartin
Icon for Cirrus rankCirrus
May 27, 2010
OK, apparently I was very confused. Originally, I had tried the iRule mentioned above but never got it to work. Sorry, I was working on this a while ago and then just came back to it and forgot what I had done.

What I DO have working is an altered version of the built-in _sys_auth_ldap iRule:


when HTTP_REQUEST {
        set ldsdevkey [HTTP::header value LDSDEVKEY]
        if {not [info exists tmm_auth_http_sids(ldap)]} {
            set tmm_auth_sid [AUTH::start pam default_ldap]
            set tmm_auth_http_sids(ldap) $tmm_auth_sid
            if {[info exists tmm_auth_subscription]} {
                AUTH::subscribe $tmm_auth_sid
            }
        } else {
            set tmm_auth_sid $tmm_auth_http_sids(ldap)
        }
        AUTH::username_credential $tmm_auth_sid $ldsdevkey
        AUTH::password_credential $tmm_auth_sid $ldsdevkey
        AUTH::authenticate $tmm_auth_sid
        if {not [info exists tmm_auth_http_collect_count]} {
            HTTP::collect
            set tmm_auth_http_successes 0
            set tmm_auth_http_collect_count 1
        } else {
            incr tmm_auth_http_collect_count
        }
    }
    when AUTH_RESULT {
        if {not [info exists tmm_auth_http_sids(ldap)] or \
           ($tmm_auth_http_sids(ldap) != [AUTH::last_event_session_id]) or \
           (not [info exists tmm_auth_http_collect_count])} {
            return
        }
        if {[AUTH::status] == 0} {
            incr tmm_auth_http_successes
        }
         If multiple auth sessions are pending and
         one failure results in termination and this is a failure
         or enough successes have now occurred
        if {([array size tmm_auth_http_sids] > 1) and \
            ((not [info exists tmm_auth_http_sufficient_successes] or \
             ($tmm_auth_http_successes >= $tmm_auth_http_sufficient_successes)))} {
             Abort the other auth sessions
            foreach {type sid} [array get tmm_auth_http_sids] {
                unset tmm_auth_http_sids($type)
                if {($type ne "ldap") and ($sid != -1)} {
                    AUTH::abort $sid
                    incr tmm_auth_http_collect_count -1
                }
            }
        }
         If this is the last outstanding auth then either
         release or respond to this session
        incr tmm_auth_http_collect_count -1
        if {$tmm_auth_http_collect_count == 0} {
            unset tmm_auth_http_collect_count
            if {[AUTH::status] == 0} {
                HTTP::release
            } else {
                HTTP::respond 401
            }
        }
    }

So what I want to add to this is the "add a session when the user logs in, and check to see if a session already exist before querying LDAP" behavior from the CodeShare iRule I mentioned earlier. (http://devcentral.f5.com/wiki/default.aspx/iRules/ClientAuthUsingHTMLForms.html) I just really have NO IDEA how to do this. I am decent at HTTP iRules but this authentication is over my head. Is this possible?

Thanks again,

Joe