F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

Jeroen_V_95572's avatar
Jeroen_V_95572
Icon for Nimbostratus rankNimbostratus
Oct 18, 2012

LDAP authentication on multiple URL's

All,     I have a configuration request regarding LDAP authentication and authentication profiles. At this moment we have a working configuration with LDAP authentication but only for one app...
config
design
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Oct 19, 2012
I believe you're talking about LDAP via the ACA module, in which case the mechanism is controlled by an iRule. There's a few things you'll need to do:

1. If you're using the default _sys_auth_ldap iRule, make a copy of that and edit the copy.

2. In your HTTP_REQUEST event, ensure that you subscribe to the AUTH response (no matter what) using the AUTH::subscribe command.

3. An LDAP auth will trigger the AUTH_RESULT event. Once you've subscribed, if the auth was successful, you'll have an object called AUTH::response_data that will be filled with name-value pairs of LDAP attributes. You'll want to use the "ldap:attr:memberOf" property(ies) of that object to get group membership information. Now here's where it gets tricky. The examples in the wiki for using AUTH::response_data (https://devcentral.f5.com/wiki/iRules.AUTH__response_data.ashx) all create arrays to make accessing the name-value pairs easier. Unfortunately though, the "ldap:attr:memberOf" attributes will be listed as separate pairs with the same name property, so creating an array will only allow one of the pairs to be stored because you can't have duplicate indexes in the array. To get around this you need to keep it in list format, search through the list for "ldap:attr:memberOf", and store the value immediately after that one in the list. Here's an example: 


when AUTH_RESULT {
    if { [AUTH::response_data] contains "ldap" } {
         Search for the ldap:attr:memberOf (list) properties in the returned successful LDAP auth/query
        set memberOf [list]
        foreach x [lsearch -all [AUTH::response_data] "ldap:attr:memberOf"] {
            lappend memberOf [lindex [AUTH::response_data] [expr $x + 1]]
        }
         The memberOf variable will now contain a list of LDAP memberOf properties. Do something with this information.
        ... 
    }
}

At the end of this you'll have a list named "memberOf" that will contain the user's group memberships.

ex.

CN=foogroup,CN=Users,DC=MYDOMAIN,DC=COM

CN=bargroup,CN=Users,DC=MYDOMAIN,DC=COM

CN=testgroup,CN=Users,DC=MYDOMAIN,DC=COM

You can now process access requests based on the values in this list. Make sure you store the list so that you can use it across TCP connections.

Alternatively you could just search the AUTH::response_data object for a specific group membership string.

Hope this helps.