For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

frank_30469's avatar
frank_30469
Icon for Nimbostratus rankNimbostratus
May 13, 2011

ldap authentication

Hello,

 

 

I have a problem with an iRule for ldap authentication.

 

All related info is asked and returned from the ldap, but sometimes, not all information is forwarded to the backend webserver.

 

Does anyone have any information about how to troubelshoot this? Or an update to the iRule?

 

 

This is the iRule:

 

 

when RULE_INIT {

 

set tmm_auth_subscription "*"

 

}

 

when HTTP_REQUEST {

 

AUTH::subscribe $tmm_auth_sid set Auth [b64decode [substr "[HTTP::header values Authorization]" 7 "\}"]]

 

set User [getfield $Auth ":" 1] log local0. "User $User"

 

set Pass [getfield $Auth ":" 2] log local0. "Pass $Pass"

 

set Email [getfield $Auth ":" 3] log local0. "Email $Email"

 

set Code [getfield $Auth ":" 4] log local0. "Code $Code"

 

set CityName [getfield $Auth ":" 5] log local0. "ProxyCityName $CityName"

 

set StreetName [getfield $Auth ":" 6] log local0. "StreetName $StreetName"

 

set Name [getfield $Auth ":" 7] log local0. "Name $Name"

 

}

 

when AUTH_RESULT {

 

set mystatus [AUTH::status]

 

log local0. "mystatus"

 

log local0. $mystatus

 

array set auth_response_data [AUTH::response_data]

 

log local0. "AUTH::reponse_data"

 

set arraydata [lindex [array get auth_response_data ldap:attr:sAMAccountName] 1]

 

log local0. $arraydata

 

set arraydata2 [lindex [array get auth_response_data ldap:attr:st] 1]

 

log local0. $arraydata2

 

set arraydata3 [lindex [array get auth_response_data ldap:attr:mail] 1]

 

log local0. $arraydata3

 

set arraydata4 [lindex [array get auth_response_data ldap:attr:postOfficeBox] 1]

 

log local0. $arraydata4

 

set arraydata5 [lindex [array get auth_response_data ldap:attr:l] 1]

 

log local0. $arraydata5

 

set arraydata6 [lindex [array get auth_response_data ldap:attr:streetAddress] 1]

 

log local0. $arraydata6

 

set arraydata7 [lindex [array get auth_response_data ldap:attr:name] 1]

 

log local0. $arraydata7

 

log local0. "arraydata" log local0. $arraydata

 

set sizearray [array size arraydata]

 

log local0. "arraysize"

 

log local0. $sizearray

 

if { $mystatus eq 0 } {

 

HTTP::header insert X-USERID $arraydata

 

HTTP::header insert X-USERGROUP $arraydata2

 

HTTP::header insert X-EMAIL $arraydata3

 

HTTP::header insert X-CODE $arraydata4

 

HTTP::header insert X-CITYNAME $arraydata5

 

HTTP::header insert X-STREETNAME $arraydata6

 

HTTP::header insert X-NAME $arraydata7

 

log local0. "passed if string" }

 

}

2 Replies

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    May 17, 2011
    Hi Frank,

     

     

    What do you see logged to /var/log/ltm when the issue occurs? Which LTM version are you using the iRule on?

     

     

    Aaron
  • frank_30469's avatar
    frank_30469
    Icon for Nimbostratus rankNimbostratus
    May 17, 2011
    Aaron,

     

     

    we are using version 10.2.

     

     

    Int the ltm log file, when the wrong screen appears, all attributes are cleared, so nothing is forwarded to the backend server.

     

     

    Some other thing I noticed yesterday evening, when checking the packet traces between the F5 and the LDAP server, I noticed that when the wrong screen appeared, the F5 is not sending a SearchRequest to the LDAP server. I'm currently in contact with F5 support to see if that may be the problem and how to solve it.