For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Tom_Anderson_91's avatar
Tom_Anderson_91
Icon for Nimbostratus rankNimbostratus
Nov 26, 2009

LDAP authentication with specific attribute

We have a situation where we need to do URL authentication based on the makeup of a URL. For example, a URL containing the string "a-" should be accessible to staff only, and a URL containing the stri...
config
design
Tom_Anderson_91's avatar
Tom_Anderson_91
Icon for Nimbostratus rankNimbostratus
Dec 11, 2009
We use some iRule magic to make the multiple authentication profiles happen. First off we specify both the authentication profiles in the VIP configuration. Each authentication profile is tied to an iRule which looks as follows (the AUTH start is different based on the auth profile used). As you'll see this ensures the iRule only executes with a matching URL. The other iRule (tied to the other auth profile) contains the /b- URL search. 

 Provides authentication for URLs containing a-. 
  
 when HTTP_REQUEST { 
 if {[HTTP::path] contains "/a-"} { 
 set tmm_auth_ldap_sid [AUTH::start pam ldaps-staffonly] 
 AUTH::username_credential $tmm_auth_ldap_sid [HTTP::username] 
 AUTH::password_credential $tmm_auth_ldap_sid [HTTP::password] 
 AUTH::authenticate $tmm_auth_ldap_sid 
 HTTP::collect 
 } 
 } 
 when AUTH_SUCCESS { 
 if {$tmm_auth_ldap_sid eq [AUTH::last_event_session_id]} { 
 HTTP::release 
 } 
 } 
 when AUTH_FAILURE { 
 if {$tmm_auth_ldap_sid eq [AUTH::last_event_session_id]} { 
 HTTP::respond 401 
 } 
 } 
 when AUTH_WANTCREDENTIAL { 
 if {$tmm_auth_ldap_sid eq [AUTH::last_event_session_id]} { 
 HTTP::respond 401 
 } 
 } 
 when AUTH_ERROR { 
 if {$tmm_auth_ldap_sid eq [AUTH::last_event_session_id]} { 
 HTTP::respond 401 
 } 
 }