Forum Discussion
LDAP authentication on multiple URL's
All,
I have a configuration request regarding LDAP authentication and authentication profiles. At this moment we have a working configuration with LDAP authentication but only for one application. First I will describe the situation:
One virtual server is made and in this scenaria I will call it protected_application
We have one authentication profile and one LDAP server for this virtual server.
On this virtual server we created 3 new applications:
This devided in different HTTP classes because the path is different an example URL is www.example.com/applicationgroup1 or www.example.com/applicationgroup2
- name of the app: application4group1
- name of the app: application4group2
- name of the app: application4group3
Is it possible to search in de LDAP directory and only allow users from group 1 to the application4group1 and people of group2 must have access to group2. We have an ASM license on this box so no APM options are available at this moment. Is it possible to achieve this by configuring an irule ?
Thanks in advance
5 Replies
- Kevin_Stewart
Employee
I believe you're talking about LDAP via the ACA module, in which case the mechanism is controlled by an iRule. There's a few things you'll need to do:when AUTH_RESULT { if { [AUTH::response_data] contains "ldap" } { Search for the ldap:attr:memberOf (list) properties in the returned successful LDAP auth/query set memberOf [list] foreach x [lsearch -all [AUTH::response_data] "ldap:attr:memberOf"] { lappend memberOf [lindex [AUTH::response_data] [expr $x + 1]] } The memberOf variable will now contain a list of LDAP memberOf properties. Do something with this information. ... } }
- Jeroen_V_95572
Nimbostratus
Hi Kevin, - Kevin_Stewart
Employee
On the ACA LDAP Configuration page, the "Remote LDAP Tree" is the starting point of the search, so you'd enter "cn=groupname,ou=groups,dc=base" here. You can use the Login Attribute to specify which field you're looking for, in this case I'm guessing "cn". - Jeroen_V_95572
Nimbostratus
Actually we first need to verify if the user exists and the authentication is successfull and then we need to determine if he is in the correct group. So I think we need to execute 2 different LDAP queries. - Kevin_Stewart
Employee
The LDAP authentication will return a plethora of LDAP data about the user if the user exists. If you need to authenticate the user via LDAP and then search in a completely different place for group membership, then potentially you would need to run multiple queries.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com