Forum Discussion
hooleylist
May 28, 2010Cirrostratus
Hi Joe,
If that rule is working for you and you just want to track successful auth attempts in the session table, you can try something like this. Note that I haven't tested this--I just looked for the places where the AUTH::status result was checked and added the key to the session table.
I think you'd want to prevent a request which doesn't have the header set with a value. I added a 401 response for this case, but you might want to change this. Else, if there is a key, it's checked against the session table to see if auth has already been successful.
when HTTP_REQUEST {
Get the key value from the header
set ldsdevkey [HTTP::header value LDSDEVKEY]
Do something if there is no value for the key?
if {$ldsdevkey eq ""}{
HTTP::respond 401
return
}
Check if there is an existing session for the key
if {[session lookup uie $ldsdevkey] ne ""}{
There is an existing session for this key, so don't do any auth for this request
return
}
if {not [info exists tmm_auth_http_sids(ldap)]} {
set tmm_auth_sid [AUTH::start pam default_ldap]
set tmm_auth_http_sids(ldap) $tmm_auth_sid
if {[info exists tmm_auth_subscription]} {
AUTH::subscribe $tmm_auth_sid
}
} else {
set tmm_auth_sid $tmm_auth_http_sids(ldap)
}
AUTH::username_credential $tmm_auth_sid $ldsdevkey
AUTH::password_credential $tmm_auth_sid $ldsdevkey
AUTH::authenticate $tmm_auth_sid
if {not [info exists tmm_auth_http_collect_count]} {
HTTP::collect
set tmm_auth_http_successes 0
set tmm_auth_http_collect_count 1
} else {
incr tmm_auth_http_collect_count
}
}
when AUTH_RESULT {
if {not [info exists tmm_auth_http_sids(ldap)] or \
($tmm_auth_http_sids(ldap) != [AUTH::last_event_session_id]) or \
(not [info exists tmm_auth_http_collect_count])} {
return
}
if {[AUTH::status] == 0} {
Auth was successful, so add the key to the session table
The value doesn't matter, so use anything
session add uie $ldsdevkey 1 1800
incr tmm_auth_http_successes
}
If multiple auth sessions are pending and
one failure results in termination and this is a failure
or enough successes have now occurred
if {([array size tmm_auth_http_sids] > 1) and \
((not [info exists tmm_auth_http_sufficient_successes] or \
($tmm_auth_http_successes >= $tmm_auth_http_sufficient_successes)))} {
Abort the other auth sessions
foreach {type sid} [array get tmm_auth_http_sids] {
unset tmm_auth_http_sids($type)
if {($type ne "ldap") and ($sid != -1)} {
AUTH::abort $sid
incr tmm_auth_http_collect_count -1
}
}
}
If this is the last outstanding auth then either
release or respond to this session
incr tmm_auth_http_collect_count -1
if {$tmm_auth_http_collect_count == 0} {
unset tmm_auth_http_collect_count
if {[AUTH::status] == 0} {
Auth was successful, so add the key to the session table
The value doesn't matter, so use anything
session add uie $ldsdevkey 1 1800
HTTP::release
} else {
HTTP::respond 401
}
}
}
Aaron