Forum Discussion
Tom_Anderson_91
Nimbostratus
NimbostratusLDAP authentication with specific attribute
We have a situation where we need to do URL authentication based on the makeup of a URL. For example, a URL containing the string "a-" should be accessible to staff only, and a URL containing the string "b-" should be accessible to staff and students.
We have had this working for some time based on OU's in our LDAP - which has been fine, as any students who were also staff (and vice versa) had a separate account for the other login.
Recently we implemented a single signon - so now staff members who enrol as a student keep their existing staff login, but have an attribute added in LDAP to identify them as such.
We're able to authenticate the b- URLs correctly still with this method, as any valid account is permissible. It's the a- URLs that are causing trouble. We need to allow authentication to these URLs only to users in LDAP that contain a particular attribute. This attribute is called staff - and will have a value of 1 for any valid staff member.
I have tried to use staff=1 in the filter field on the LDAP configuration however it doesn't allow authentication at all with this set. I'm not even sure if this is the correct syntax, if this is the correct usage for this field or even if it's possible to do what I want, so any advice is well welcomed!
Thanks in advance,
Tom
12 Replies
Tom_Anderson_91
If you get a chance, could you post an anonymized copy of your auth profiles from the bigip.conf file?
I don't have direct console access so it makes it difficult to obtain this information, however I will be able to get it, it just may take some time.- Tom_Anderson_91On closer inspection, I may have been trying to be too complicated with this. Turns out we also have a group structure within our LDAP (which I was led to believe we didn't have previously) so I can query the group, which will make life a whole lot simpler.
