Forum Discussion
Robert_Decker_2
Nimbostratus
NimbostratusLDAP redirect not working
How do you redirect _sys_auth_ldap? I've tried the following(x.x.x.x is the IP address of the web page I created):
replace HTTP::respond 401 with HTTP::respond "http://x.x.x.x"
under the AUTH_Failure section
or keep HTTP::respond 401 and add the following to the rule:
when HTTP_RESPONSE {
if { [HTTP::status] contains "401"} {
HTTP::redirect "http://x.x.x.x"
}
}
I cannot redirect the page either way. The page becomes blank after I've failed three logins.
Thank you for your help,
Rob
- I'd recommend taking a look at the complete HTTP::respond syntax. You can see that in the iRules Wiki, here: Click here
I think what you're looking for is a 3xx redirect response, along with the response you want to send to the client.
Something like:HTTP::respond 302 Location "http://new.location.net/app"
Check out the info and see if that helps.
As an fyi, there's also a pretty good list of the HTTP status codes and their definitions over at w3c.org: Click here
HTH,
-Colin 
Robert_Decker_2Thank you for the help Colin! I have been able to use your suggestion, however I am now having problems trying to place it in the Irule. I believe that I need to replace "HTTP::respond 401" with "HTTP::respond 302 Location "http://x.x.x.x", but have not been able to do it successfully. The only place where it fires is when I replace the last "HTTP::respond 401" under "when AUTH_WANTCREDENTIAL". The Irule then redirects right away without prompting for username/password. Could you/anyone tell me where this is best suited?
when AUTH_SUCCESS {
if {$tmm_auth_http_sids(ldap) eq [AUTH::last_event_session_id]} {
incr tmm_auth_http_successes
if {[info exists tmm_auth_http_sufficient_successes]} {
if {$tmm_auth_http_successes >=
$tmm_auth_http_sufficient_successes} {
foreach {type sid} [array get tmm_auth_http_sids] {
if {$type ne "ldap" && $sid ne -1} {
AUTH::abort $sid
array set tmm_auth_http_sids [list $type -1]
}
}
set tmm_auth_http_collect_count 0
HTTP::release
} else {
incr tmm_auth_http_collect_count -1
if {$tmm_auth_http_collect_count == 0} {
HTTP::respond 401
}
}
} else {
incr tmm_auth_http_collect_count -1
if {$tmm_auth_http_collect_count == 0} {
HTTP::release
}
}
}
}
when AUTH_FAILURE {
if {$tmm_auth_http_sids(ldap) eq [AUTH::last_event_session_id]} {
if {[llength [array names tmm_auth_http_sids]] > 1} {
if {[info exists tmm_auth_http_sufficient_successes]} {
incr tmm_auth_http_collect_count -1
if {$tmm_auth_http_collect_count == 0} {
HTTP::respond 401
}
} else {
foreach {type sid} [array get tmm_auth_http_sids] {
if {$type ne "ldap" && $sid ne -1} {
AUTH::abort $sid
array set tmm_auth_http_sids [list $type -1]
}
}
set tmm_auth_http_collect_count 0
HTTP::respond 401
}
} else {
set tmm_auth_http_collect_count 0
HTTP::respond 401
}
}
}
when AUTH_WANTCREDENTIAL {
if {$tmm_auth_http_sids(ldap) eq [AUTH::last_event_session_id]} {
if {[llength [array names tmm_auth_http_sids]] > 1} {
if {[info exists tmm_auth_http_sufficient_successes]} {
incr tmm_auth_http_collect_count -1
if {$tmm_auth_http_collect_count == 0} {
HTTP::respond 401
}
} else {
foreach {type sid} [array get tmm_auth_http_sids] {
if {$type ne "ldap" && $sid ne -1} {
AUTH::abort $sid
array set tmm_auth_http_sids [list $type -1]
}
}
set tmm_auth_http_collect_count 0
HTTP::respond 401
}
} else {
set tmm_auth_http_collect_count 0
HTTP::respond 401
}
}
}
when AUTH_ERROR {
if {$tmm_auth_http_sids(ldap) eq [AUTH::last_event_session_id]} {
if {[llength [array names tmm_auth_http_sids]] > 1} {
if {[info exists tmm_auth_http_sufficient_successes]} {
incr tmm_auth_http_collect_count -1
if {$tmm_auth_http_collect_count == 0} {
HTTP::respond 401
}
} else {
foreach {type sid} [array get tmm_auth_http_sids] {
if {$type ne "ldap" && $sid ne -1} {
AUTH::abort $sid
array set tmm_auth_http_sids [list $type -1]
}
}
set tmm_auth_http_collect_count 0
HTTP::respond 401
}
} else {
set tmm_auth_http_collect_count 0
HTTP::respond 401
}
}
}
Thank you for your help,
Rob- Didn't you want to change this under the AUTH_FAILURE section? Did you try that already and I misunderstood your posting?
-Colin - Robert_Decker_2I've added the redirect line in place of the last HTTP::respond line in Auth Failure. This seems to be working now (had other issues I'm troubleshooting). Was this the correct placing? The rule seems to work as long as a username and password is present. I was trying to trigger the rule by adding a username and leaving the password area blank (this never worked). Does PAM require both to be a valid attempt? What happens when a blank password is entered 3 times(the page becomes blank)?
when AUTH_SUCCESS {
if {$tmm_auth_http_sids(ldap) eq [AUTH::last_event_session_id]} {
incr tmm_auth_http_successes
if {[info exists tmm_auth_http_sufficient_successes]} {
if {$tmm_auth_http_successes >=
$tmm_auth_http_sufficient_successes} {
foreach {type sid} [array get tmm_auth_http_sids] {
if {$type ne "ldap" && $sid ne -1} {
AUTH::abort $sid
array set tmm_auth_http_sids [list $type -1]
}
}
set tmm_auth_http_collect_count 0
HTTP::release
} else {
incr tmm_auth_http_collect_count -1
if {$tmm_auth_http_collect_count == 0} {
HTTP::respond 401
}
}
} else {
incr tmm_auth_http_collect_count -1
if {$tmm_auth_http_collect_count == 0} {
HTTP::release
}
}
}
}
when AUTH_FAILURE {
if {$tmm_auth_http_sids(ldap) eq [AUTH::last_event_session_id]} {
if {[llength [array names tmm_auth_http_sids]] > 1} {
if {[info exists tmm_auth_http_sufficient_successes]} {
incr tmm_auth_http_collect_count -1
if {$tmm_auth_http_collect_count == 0} {
HTTP::respond 401
}
} else {
foreach {type sid} [array get tmm_auth_http_sids] {
if {$type ne "ldap" && $sid ne -1} {
AUTH::abort $sid
array set tmm_auth_http_sids [list $type -1]
}
}
set tmm_auth_http_collect_count 0
HTTP::respond 401
}
} else {
set tmm_auth_http_collect_count 0
HTTP::respond 302 Location "http://x.x.x.x"
}
}
}
when AUTH_WANTCREDENTIAL {
if {$tmm_auth_http_sids(ldap) eq [AUTH::last_event_session_id]} {
if {[llength [array names tmm_auth_http_sids]] > 1} {
if {[info exists tmm_auth_http_sufficient_successes]} {
incr tmm_auth_http_collect_count -1
if {$tmm_auth_http_collect_count == 0} {
HTTP::respond 401
}
} else {
foreach {type sid} [array get tmm_auth_http_sids] {
if {$type ne "ldap" && $sid ne -1} {
AUTH::abort $sid
array set tmm_auth_http_sids [list $type -1]
}
}
set tmm_auth_http_collect_count 0
HTTP::respond 401
}
} else {
set tmm_auth_http_collect_count 0
HTTP::respond 401
}
}
}
when AUTH_ERROR {
if {$tmm_auth_http_sids(ldap) eq [AUTH::last_event_session_id]} {
if {[llength [array names tmm_auth_http_sids]] > 1} {
if {[info exists tmm_auth_http_sufficient_successes]} {
incr tmm_auth_http_collect_count -1
if {$tmm_auth_http_collect_count == 0} {
HTTP::respond 401
}
} else {
foreach {type sid} [array get tmm_auth_http_sids] {
if {$type ne "ldap" && $sid ne -1} {
AUTH::abort $sid
array set tmm_auth_http_sids [list $type -1]
}
}
set tmm_auth_http_collect_count 0
HTTP::respond 401
}
} else {
set tmm_auth_http_collect_count 0
HTTP::respond 401
}
}
}
Thank you for your help,
Rob
