Forum Discussion
Tom_Anderson_91
Nimbostratus
Nov 26, 2009LDAP authentication with specific attribute
We have a situation where we need to do URL authentication based on the makeup of a URL. For example, a URL containing the string "a-" should be accessible to staff only, and a URL containing the string "b-" should be accessible to staff and students.
We have had this working for some time based on OU's in our LDAP - which has been fine, as any students who were also staff (and vice versa) had a separate account for the other login.
Recently we implemented a single signon - so now staff members who enrol as a student keep their existing staff login, but have an attribute added in LDAP to identify them as such.
We're able to authenticate the b- URLs correctly still with this method, as any valid account is permissible. It's the a- URLs that are causing trouble. We need to allow authentication to these URLs only to users in LDAP that contain a particular attribute. This attribute is called staff - and will have a value of 1 for any valid staff member.
I have tried to use staff=1 in the filter field on the LDAP configuration however it doesn't allow authentication at all with this set. I'm not even sure if this is the correct syntax, if this is the correct usage for this field or even if it's possible to do what I want, so any advice is well welcomed!
Thanks in advance,
Tom
- hoolio
Cirrostratus
Hi Tom, - Tom_Anderson_91
Nimbostratus
Aaron - this is one of my colleagues! That was posted back when we were trying to nut out how to differentiate the authentication based on the URL. We have that part working now (using iRules and two authentication profiles) and it has been reliable in production for us for some months. - Tom_Anderson_91
Nimbostratus
I'll see what I can do about posting up the configs we used in the other thread, too. - Tom_Anderson_91
Nimbostratus
Bump. Is this possible? - hoolio
Cirrostratus
It looks like v10.0.1 offers some fairly comprehensive config options for validating specific LDAP attributes, including a field named Role Key: - Tom_Anderson_91
Nimbostratus
Hi Aaron. - hoolio
Cirrostratus
Hi Tom, - hoolio
Cirrostratus
I tried testing this today, but couldn't get the first auth profile working! Here is a copy of the test config: - hoolio
Cirrostratus
So the fix for that problem was just setting a group attribute to "member" on the auth config: - Tom_Anderson_91
Nimbostratus
We use some iRule magic to make the multiple authentication profiles happen. First off we specify both the authentication profiles in the VIP configuration. Each authentication profile is tied to an iRule which looks as follows (the AUTH start is different based on the auth profile used). As you'll see this ensures the iRule only executes with a matching URL. The other iRule (tied to the other auth profile) contains the /b- URL search.Provides authentication for URLs containing a-. when HTTP_REQUEST { if {[HTTP::path] contains "/a-"} { set tmm_auth_ldap_sid [AUTH::start pam ldaps-staffonly] AUTH::username_credential $tmm_auth_ldap_sid [HTTP::username] AUTH::password_credential $tmm_auth_ldap_sid [HTTP::password] AUTH::authenticate $tmm_auth_ldap_sid HTTP::collect } } when AUTH_SUCCESS { if {$tmm_auth_ldap_sid eq [AUTH::last_event_session_id]} { HTTP::release } } when AUTH_FAILURE { if {$tmm_auth_ldap_sid eq [AUTH::last_event_session_id]} { HTTP::respond 401 } } when AUTH_WANTCREDENTIAL { if {$tmm_auth_ldap_sid eq [AUTH::last_event_session_id]} { HTTP::respond 401 } } when AUTH_ERROR { if {$tmm_auth_ldap_sid eq [AUTH::last_event_session_id]} { HTTP::respond 401 } }
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects