SSL client certificate LDAP authenticate before authorizing

Problem this snippet solves:

This iRule is a modification to the system F5 supported sys_auth_ssl_cc_ldap rule to serialize the process of SSL CC authentication followed by LDAP authorization. The F5 supported iRule performs the LDAP query in parallel with the client certificate verification resulting in some unneeded LDAP queries. This edit simply moves the LDAP authorization to the CLIENTSSL_HANDSHAKE event.

Dependencies

This iRule depends upon a licensed feature (Client Authentication) and specifically the SSL Client Certificate LDAP Authentication.

Code :

rule ssl_cc_ldap_authenticate_before_authorize {
   when CLIENT_ACCEPTED {
        set tmm_auth_ssl_cc_ldap_sid 0
        set tmm_auth_ssl_cc_ldap_done 0
    }
    when CLIENTSSL_HANDSHAKE {
        if {$tmm_auth_ssl_cc_ldap_sid == 0} {
            set tmm_auth_ssl_cc_ldap_sid [AUTH::start pam default_ssl_cc_ldap]
            if {[info exists tmm_auth_subscription]} {
                AUTH::subscribe $tmm_auth_ssl_cc_ldap_sid
            }
        }
        AUTH::cert_credential $tmm_auth_ssl_cc_ldap_sid [SSL::cert 0]
        AUTH::authenticate $tmm_auth_ssl_cc_ldap_sid
    }
    when AUTH_RESULT {
        if {[info exists tmm_auth_ssl_cc_ldap_sid] and ($tmm_auth_ssl_cc_ldap_sid == [AUTH::last_event_session_id])} {
            set tmm_auth_status [AUTH::status]
            if {$tmm_auth_status == 0} {
                set tmm_auth_ssl_cc_ldap_done 1
                SSL::handshake resume
            } elseif {$tmm_auth_status != -1 || $tmm_auth_ssl_cc_ldap_done == 0} {
                reject
            }
        }
    }
}
Published Mar 18, 2015
Version 1.0
application delivery
devops
iRules
security

Was this article helpful?

No CommentsBe the first to comment