LDAP authentication on multiple URL's

I believe you're talking about LDAP via the ACA module, in which case the mechanism is controlled by an iRule. There's a few things you'll need to do:

1. If you're using the default _sys_auth_ldap iRule, make a copy of that and edit the copy.

2. In your HTTP_REQUEST event, ensure that you subscribe to the AUTH response (no matter what) using the AUTH::subscribe command.

3. An LDAP auth will trigger the AUTH_RESULT event. Once you've subscribed, if the auth was successful, you'll have an object called AUTH::response_data that will be filled with name-value pairs of LDAP attributes. You'll want to use the "ldap:attr:memberOf" property(ies) of that object to get group membership information. Now here's where it gets tricky. The examples in the wiki for using AUTH::response_data (https://devcentral.f5.com/wiki/iRules.AUTH__response_data.ashx) all create arrays to make accessing the name-value pairs easier. Unfortunately though, the "ldap:attr:memberOf" attributes will be listed as separate pairs with the same name property, so creating an array will only allow one of the pairs to be stored because you can't have duplicate indexes in the array. To get around this you need to keep it in list format, search through the list for "ldap:attr:memberOf", and store the value immediately after that one in the list. Here's an example:

when AUTH_RESULT {
    if { [AUTH::response_data] contains "ldap" } {
         Search for the ldap:attr:memberOf (list) properties in the returned successful LDAP auth/query
        set memberOf [list]
        foreach x [lsearch -all [AUTH::response_data] "ldap:attr:memberOf"] {
            lappend memberOf [lindex [AUTH::response_data] [expr $x + 1]]
        }
         The memberOf variable will now contain a list of LDAP memberOf properties. Do something with this information.
        ... 
    }
}

At the end of this you'll have a list named "memberOf" that will contain the user's group memberships.

ex.

CN=foogroup,CN=Users,DC=MYDOMAIN,DC=COM

CN=bargroup,CN=Users,DC=MYDOMAIN,DC=COM

CN=testgroup,CN=Users,DC=MYDOMAIN,DC=COM

You can now process access requests based on the values in this list. Make sure you store the list so that you can use it across TCP connections.

Alternatively you could just search the AUTH::response_data object for a specific group membership string.

Hope this helps.

Hi Kevin,

 

 

Thanks for teh feedback ! It was a great help to me but I still have one problem. The LDAP configuration is not managed by us so we can't change anything on this server. With an ldapsearch I verified the responses from our LDAP query's and I couldn't find an LDAP attribute member of. So I asked how can I verify if a user belangs to a specific group and for that I need to go to the following directory cn=groupname,ou=groups;dc=base. in this directory I need to search for the username. So is it possible after authentication that I can verify a specific directory for a dynamic CN entry ?

 

 

Regards,

 

 

J

On the ACA LDAP Configuration page, the "Remote LDAP Tree" is the starting point of the search, so you'd enter "cn=groupname,ou=groups,dc=base" here. You can use the Login Attribute to specify which field you're looking for, in this case I'm guessing "cn".

 

 

So are you just trying to determine if the user exists in this path?

Actually we first need to verify if the user exists and the authentication is successfull and then we need to determine if he is in the correct group. So I think we need to execute 2 different LDAP queries.

 

 

The LDAP authentication will return a plethora of LDAP data about the user if the user exists. If you need to authenticate the user via LDAP and then search in a completely different place for group membership, then potentially you would need to run multiple queries.