For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Moe_Jartin's avatar
Moe_Jartin
Icon for Cirrus rankCirrus
May 26, 2010

LDAP Authentication iRule... HELP

I am trying to write an iRule for an LDAP authentication profile. The irule will take the value of a cookie from every request and use it as the username AND password for which it will then validate ...
application delivery
dev
devops
iRules
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
May 28, 2010
Hi Joe,

If that rule is working for you and you just want to track successful auth attempts in the session table, you can try something like this. Note that I haven't tested this--I just looked for the places where the AUTH::status result was checked and added the key to the session table.

I think you'd want to prevent a request which doesn't have the header set with a value. I added a 401 response for this case, but you might want to change this. Else, if there is a key, it's checked against the session table to see if auth has already been successful. 


when HTTP_REQUEST {

    Get the key value from the header
   set ldsdevkey [HTTP::header value LDSDEVKEY]

    Do something if there is no value for the key?
   if {$ldsdevkey eq ""}{
      HTTP::respond 401
      return
   }

    Check if there is an existing session for the key
   if {[session lookup uie $ldsdevkey] ne ""}{

       There is an existing session for this key, so don't do any auth for this request
      return
   }
   if {not [info exists tmm_auth_http_sids(ldap)]} {
      set tmm_auth_sid [AUTH::start pam default_ldap]
      set tmm_auth_http_sids(ldap) $tmm_auth_sid
      if {[info exists tmm_auth_subscription]} {
         AUTH::subscribe $tmm_auth_sid
      }
   } else {
      set tmm_auth_sid $tmm_auth_http_sids(ldap)
   }
   AUTH::username_credential $tmm_auth_sid $ldsdevkey
   AUTH::password_credential $tmm_auth_sid $ldsdevkey
   AUTH::authenticate $tmm_auth_sid

   if {not [info exists tmm_auth_http_collect_count]} {
      HTTP::collect
      set tmm_auth_http_successes 0
      set tmm_auth_http_collect_count 1
   } else {
      incr tmm_auth_http_collect_count
   }
}
when AUTH_RESULT {
   if {not [info exists tmm_auth_http_sids(ldap)] or \
      ($tmm_auth_http_sids(ldap) != [AUTH::last_event_session_id]) or \
      (not [info exists tmm_auth_http_collect_count])} {
      return
   }
   if {[AUTH::status] == 0} {

       Auth was successful, so add the key to the session table
       The value doesn't matter, so use anything
      session add uie $ldsdevkey 1 1800

      incr tmm_auth_http_successes
   }
    If multiple auth sessions are pending and
    one failure results in termination and this is a failure
    or enough successes have now occurred
   if {([array size tmm_auth_http_sids] > 1) and \
      ((not [info exists tmm_auth_http_sufficient_successes] or \
       ($tmm_auth_http_successes >= $tmm_auth_http_sufficient_successes)))} {
       Abort the other auth sessions
      foreach {type sid} [array get tmm_auth_http_sids] {
         unset tmm_auth_http_sids($type)
         if {($type ne "ldap") and ($sid != -1)} {
            AUTH::abort $sid
            incr tmm_auth_http_collect_count -1
         }
      }
   }

    If this is the last outstanding auth then either
    release or respond to this session
   incr tmm_auth_http_collect_count -1
   if {$tmm_auth_http_collect_count == 0} {
      unset tmm_auth_http_collect_count
      if {[AUTH::status] == 0} {

          Auth was successful, so add the key to the session table
          The value doesn't matter, so use anything
         session add uie $ldsdevkey 1 1800

         HTTP::release
      } else {
         HTTP::respond 401
      }
   }
}

Aaron