SSL client certificate LDAP authenticate before authorizing

Problem this snippet solves:

This iRule is a modification to the system F5 supported sys_auth_ssl_cc_ldap rule to serialize the process of SSL CC authentication followed by LDAP authorization. The F5 supported iRule performs the LDAP query in parallel with the client certificate verification resulting in some unneeded LDAP queries. This edit simply moves the LDAP authorization to the CLIENTSSL_HANDSHAKE event.


This iRule depends upon a licensed feature (Client Authentication) and specifically the SSL Client Certificate LDAP Authentication.

Code :

rule ssl_cc_ldap_authenticate_before_authorize {
        set tmm_auth_ssl_cc_ldap_sid 0
        set tmm_auth_ssl_cc_ldap_done 0
        if {$tmm_auth_ssl_cc_ldap_sid == 0} {
            set tmm_auth_ssl_cc_ldap_sid [AUTH::start pam default_ssl_cc_ldap]
            if {[info exists tmm_auth_subscription]} {
                AUTH::subscribe $tmm_auth_ssl_cc_ldap_sid
        AUTH::cert_credential $tmm_auth_ssl_cc_ldap_sid [SSL::cert 0]
        AUTH::authenticate $tmm_auth_ssl_cc_ldap_sid
    when AUTH_RESULT {
        if {[info exists tmm_auth_ssl_cc_ldap_sid] and ($tmm_auth_ssl_cc_ldap_sid == [AUTH::last_event_session_id])} {
            set tmm_auth_status [AUTH::status]
            if {$tmm_auth_status == 0} {
                set tmm_auth_ssl_cc_ldap_done 1
                SSL::handshake resume
            } elseif {$tmm_auth_status != -1 || $tmm_auth_ssl_cc_ldap_done == 0} {
Published Mar 18, 2015
Version 1.0

Was this article helpful?

No CommentsBe the first to comment