LDAP Authentication iRule... HELP

You're talking about something I'd call "post-access authentication". Take a look at this section of the Wiki for SSL client certificate authentication.

https://devcentral.f5.com/wiki/iRules.SSL__authenticate.ashx

Unfortunately, neither ACA nor APM natively do post-access authentication in this way (currently), so I can potentially think of three ways to solve this:

ACA -

The iRule that implements LDAP in ACA (_sys_auth_ldap) calls AUTH::authenticate from the HTTP_REQUEST event. You could create a conditional that only calls AUTH::authenticate if the URI starts with "/test" AND the user isn't presenting a valid session token. Replace the final HTTP::release in the AUTH_RESULT event with an HTTP::respond 302 redirect back to the requested VIP and with a new session token (unique ID stored in a table).

APM -

The HTTP_REQUEST event is called before the initial access policy redirect and start, so you could probably just do an ACCESS::disable in the HTTP_REQUEST event as long as the the URI does not start with "/test".

when HTTP_REQUEST {
if { not ( [HTTP::uri] starts_with "/test" ) } {
ACCESS::disable
}
}

TWO-VIP (ACA or APM)

1. User accesses site without authentication

2. user attempts to access "/test", does not have a token, so is redirected to another VIP to do authentication

3. User accesses authentication VIP, authenticates (ACA or APM), and is redirected back to originating site with a token

3. Originating site evaluates token (mapped to auth data acquired bu auth VIP) and allows access to "/test"