Forum Discussion

Jeroen_V_95572's avatar
Jeroen_V_95572
Icon for Nimbostratus rankNimbostratus
Oct 18, 2012

LDAP authentication on multiple URL's

All,

 

 

I have a configuration request regarding LDAP authentication and authentication profiles. At this moment we have a working configuration with LDAP authentication but only for one application. First I will describe the situation:

 

One virtual server is made and in this scenaria I will call it protected_application

 

We have one authentication profile and one LDAP server for this virtual server.

 

On this virtual server we created 3 new applications:

 

This devided in different HTTP classes because the path is different an example URL is www.example.com/applicationgroup1 or www.example.com/applicationgroup2

 

- name of the app: application4group1

 

- name of the app: application4group2

 

- name of the app: application4group3

 

Is it possible to search in de LDAP directory and only allow users from group 1 to the application4group1 and people of group2 must have access to group2. We have an ASM license on this box so no APM options are available at this moment. Is it possible to achieve this by configuring an irule ?

 

Thanks in advance

 

5 Replies

  • I believe you're talking about LDAP via the ACA module, in which case the mechanism is controlled by an iRule. There's a few things you'll need to do:

    1. If you're using the default _sys_auth_ldap iRule, make a copy of that and edit the copy.

    2. In your HTTP_REQUEST event, ensure that you subscribe to the AUTH response (no matter what) using the AUTH::subscribe command.

    3. An LDAP auth will trigger the AUTH_RESULT event. Once you've subscribed, if the auth was successful, you'll have an object called AUTH::response_data that will be filled with name-value pairs of LDAP attributes. You'll want to use the "ldap:attr:memberOf" property(ies) of that object to get group membership information. Now here's where it gets tricky. The examples in the wiki for using AUTH::response_data (https://devcentral.f5.com/wiki/iRules.AUTH__response_data.ashx) all create arrays to make accessing the name-value pairs easier. Unfortunately though, the "ldap:attr:memberOf" attributes will be listed as separate pairs with the same name property, so creating an array will only allow one of the pairs to be stored because you can't have duplicate indexes in the array. To get around this you need to keep it in list format, search through the list for "ldap:attr:memberOf", and store the value immediately after that one in the list. Here's an example:

    
    when AUTH_RESULT {
        if { [AUTH::response_data] contains "ldap" } {
             Search for the ldap:attr:memberOf (list) properties in the returned successful LDAP auth/query
            set memberOf [list]
            foreach x [lsearch -all [AUTH::response_data] "ldap:attr:memberOf"] {
                lappend memberOf [lindex [AUTH::response_data] [expr $x + 1]]
            }
             The memberOf variable will now contain a list of LDAP memberOf properties. Do something with this information.
            ... 
        }
    }
    

    At the end of this you'll have a list named "memberOf" that will contain the user's group memberships.

    ex.

    CN=foogroup,CN=Users,DC=MYDOMAIN,DC=COM

    CN=bargroup,CN=Users,DC=MYDOMAIN,DC=COM

    CN=testgroup,CN=Users,DC=MYDOMAIN,DC=COM

    You can now process access requests based on the values in this list. Make sure you store the list so that you can use it across TCP connections.

    Alternatively you could just search the AUTH::response_data object for a specific group membership string.

    Hope this helps.

  • Hi Kevin,

     

     

    Thanks for teh feedback ! It was a great help to me but I still have one problem. The LDAP configuration is not managed by us so we can't change anything on this server. With an ldapsearch I verified the responses from our LDAP query's and I couldn't find an LDAP attribute member of. So I asked how can I verify if a user belangs to a specific group and for that I need to go to the following directory cn=groupname,ou=groups;dc=base. in this directory I need to search for the username. So is it possible after authentication that I can verify a specific directory for a dynamic CN entry ?

     

     

    Regards,

     

     

    J
  • On the ACA LDAP Configuration page, the "Remote LDAP Tree" is the starting point of the search, so you'd enter "cn=groupname,ou=groups,dc=base" here. You can use the Login Attribute to specify which field you're looking for, in this case I'm guessing "cn".

     

     

    So are you just trying to determine if the user exists in this path?
  • Actually we first need to verify if the user exists and the authentication is successfull and then we need to determine if he is in the correct group. So I think we need to execute 2 different LDAP queries.

     

     

  • The LDAP authentication will return a plethora of LDAP data about the user if the user exists. If you need to authenticate the user via LDAP and then search in a completely different place for group membership, then potentially you would need to run multiple queries.