For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

David_Stout's avatar
David_Stout
Icon for Nimbostratus rankNimbostratus
May 27, 2016

LTM + APM + LDAP iRule help needed

Hi All,

I'm stuck on something and need some assistance. We have an old V10 service that uses the old LTM Auth module to perform an LDAP lookup of a user thats listed in a datagroup. If the user is present in the datagroup then the old LDAP Auth profile perfoms a username/password lookup against the LDAP service before passing on the HTTP Request to the pool member if authenticated. I'm trying to move this function to V11 and as the LDAP Auth Profile is no longer in the LTM I'm attempting to do this via the APM. I've almost got it working but the requests are not being passed through to the pool member and I'm getting an APM default session finished page.

So why am I getting the session finished page instead of the HTTP Request being sent to the pool and then the result being displayed in the browser ? Pretty stuck at the moment as nothing seems to work. Would like to have users only prompted to log in once too.

    when CLIENT_ACCEPTED {
    set flow_sid [ACCESS::session create -timeout 600 -lifetime 3600]
}

when HTTP_REQUEST {
    if { [HTTP::header value "Authorization"] eq ""}{
        HTTP::respond 401 "WWW-Authenticate" "Basic realm=\Integration LDAP SOA Service"
    }
            if { ([class match [HTTP::username] contains intldapesb_trusted_users]) } {
                    ACCESS::policy evaluate -sid $flow_sid -profile /Common/intldapesb.deloitte.com session.logon.last.username [HTTP::username] session.logon.last.password [HTTP::password]
                    switch [ACCESS::policy result -sid $flow_sid] {
                        "allow" {
                        log "INTLDAPESB Http Request for CrossBorderServiceExport accepted from user [HTTP::username]"
                        pool app0454_ema_int_soa_prv_443_intesb.deloitte.com_pool
                        return
                        }
                        "deny" {
                        HTTP::respond 200 content "LDAP Lookup failure!"
                        }
                        ".default" {
                        HTTP::respond 200 content "Different result than expected - check your configuration. ($flow_sid)"
                        }
                    }
                }
            }

when CLIENT_CLOSED {
    ACCESS::session remove -sid $flow_sid
    set flow_sid ""
}
application delivery
BIG-IP Access Policy Manager (APM)
iRules

2 Replies

  • Yann_Desmarest's avatar
    Yann_Desmarest
    Icon for Cirrus rankCirrus
    May 27, 2016

    Hi,

     

    Did you setup an access profile within the Virtual Server ? If yes, you should remove it.

     

  • Yann_Desmarest's avatar
    Yann_Desmarest
    Icon for Cirrus rankCirrus
    May 27, 2016

    Hi,

    I think that you should add a condition in your following check because otherwise if the client do not send an Authorization header you actually doesn't respond with a 401 to the client : 

    if { !([HTTP::header exists "Authorization"]) or [HTTP::header value "Authorization"] eq ""}{