LDAP Authentication iRule... HELP

Question

I am trying to write an iRule for an LDAP authentication profile.  The irule will take the value of a cookie from every request and use it as the username AND password for which it will then validate against LDAP.  I also want it to check to see if an existing session exist and allow the traffic based on the local session rather than querying LDAP for EVERY HTTP request.  &nbsp;
&nbsp;I took the Code Share iRule from http://devcentral.f5.com/wiki/default.aspx/iRules/ClientAuthUsingHTMLForms.html and altered it a bit to fit my scenario.  I have it working to the point that it is querying LDAP and if the cookie does not exist in the irule or if the cookie value is not valid then acces is denied.  The part that is not working is the creation and checking of the local session table.  It is querying LDAP for EVERY HTTP request.&nbsp;
&nbsp;There are certainly pieces to this irule that I do not understand so I am looking for help to understand how to create a session in the table and check that to see if a session exist for that user before querying LDAP.&nbsp;
&nbsp;when CLIENT_ACCEPTED {
&nbsp;  set forceauth 1
&nbsp;  set auth_status 2
&nbsp;  set ckname LDSDEVKEY
&nbsp;  set ckpass myPassword
&nbsp;  set asid [AUTH::start pam default_ldap]
&nbsp;}&nbsp;
&nbsp;when HTTP_REQUEST {
&nbsp;  if { [matchclass [HTTP::path] starts_with "/opensso"] } {
&nbsp;     Private URI, Auth Required
&nbsp;    if { [HTTP::header exists $ckname] } {
&nbsp;      set ldsdevkey [HTTP::header value $ckname]
&nbsp;      if { not ( $ldsdevkey equals "" ) } {
&nbsp;        log local0. "LDSDEVKEY=$ldsdevkey"
&nbsp;         retrieve the auth status from the session table
&nbsp;        set auth_status [session lookup uie $ldsdevkey]
&nbsp;      }
&nbsp;       If the auth status is 0 then the user is authenticated
&nbsp;      if { $auth_status eq 0 } {
&nbsp;        LDSDEVKEY &amp; Session Auth valid 
&nbsp;        set forceauth 0
&nbsp;      }
&nbsp;      if {$forceauth eq 1} {
&nbsp;      set auth_username $ldsdevkey
&nbsp;      set auth_password $ldsdevkey
&nbsp;      AUTH::username_credential $asid $auth_username
&nbsp;      AUTH::password_credential $asid $auth_password
&nbsp;      AUTH::authenticate $asid
&nbsp;      HTTP::collect
&nbsp;      }
&nbsp;    }
&nbsp;  }
&nbsp;}&nbsp;
&nbsp;when AUTH_SUCCESS {
&nbsp;  if {$asid eq [AUTH::last_event_session_id]} {
&nbsp;    
&nbsp;     Now the user has authenticated lets give them an encrypted cookie with their authID
&nbsp;     We'll also add the AUTH::status to a session entry with the authID as the key
&nbsp;     We can then re-direct the user to the page they originally asked for
&nbsp;    set authStatus [AUTH::status $asid] 
&nbsp;    session add uie $asid $authStatus 1800
&nbsp;  }
&nbsp;}&nbsp;
&nbsp;when AUTH_FAILURE {
&nbsp;  if {$asid eq [AUTH::last_event_session_id]} {
&nbsp;           HTTP::respond 200 content "Authentication Failed" 
&nbsp;  }
&nbsp;}&nbsp;
&nbsp;when AUTH_WANTCREDENTIAL {
&nbsp;  if {$asid eq [AUTH::last_event_session_id]} {
&nbsp;           HTTP::respond 200 content "Authentication Credentials not provided"
&nbsp;  }
&nbsp;}&nbsp;
&nbsp;when AUTH_ERROR {
&nbsp;  if {$asid eq [AUTH::last_event_session_id]} {
&nbsp;  HTTP::respond 200 content "Authentication Error"
&nbsp;  }
&nbsp;}

hooleylist · Answer

I think you'd want to use HTTP::cookie to get the value for a cookie--not HTTP::header.  I don't see where you're setting the cookie either.  Is the application doing this? 
&nbsp;  
&nbsp; Can you add debug logging to each major code block in HTTP_REQUEST and retest?  If you want help analyzing the log output, reply here with the updated iRule and anonymized logs. 
&nbsp;  
&nbsp; Thanks, Aaron

moe_jartin · Answer

Aaron,&nbsp;
&nbsp;Thanks again for your help.  I guess it is not really a cookie.  It is a custom header and, yes, the application will set this header.  I will add some logging and post the results.&nbsp;
&nbsp;Joe&nbsp;

moe_jartin · Answer

OK, apparently I was very confused.  Originally, I had tried the iRule mentioned above but never got it to work.  Sorry, I was working on this a while ago and then just came back to it and forgot what I had done.  
What I DO have working is an altered version of the built-in _sys_auth_ldap iRule:
when HTTP_REQUEST {
        set ldsdevkey [HTTP::header value LDSDEVKEY]
        if {not [info exists tmm_auth_http_sids(ldap)]} {
            set tmm_auth_sid [AUTH::start pam default_ldap]
            set tmm_auth_http_sids(ldap) $tmm_auth_sid
            if {[info exists tmm_auth_subscription]} {
                AUTH::subscribe $tmm_auth_sid
            }
        } else {
            set tmm_auth_sid $tmm_auth_http_sids(ldap)
        }
        AUTH::username_credential $tmm_auth_sid $ldsdevkey
        AUTH::password_credential $tmm_auth_sid $ldsdevkey
        AUTH::authenticate $tmm_auth_sid
        if {not [info exists tmm_auth_http_collect_count]} {
            HTTP::collect
            set tmm_auth_http_successes 0
            set tmm_auth_http_collect_count 1
        } else {
            incr tmm_auth_http_collect_count
        }
    }
    when AUTH_RESULT {
        if {not [info exists tmm_auth_http_sids(ldap)] or \
           ($tmm_auth_http_sids(ldap) != [AUTH::last_event_session_id]) or \
           (not [info exists tmm_auth_http_collect_count])} {
            return
        }
        if {[AUTH::status] == 0} {
            incr tmm_auth_http_successes
        }
         If multiple auth sessions are pending and
         one failure results in termination and this is a failure
         or enough successes have now occurred
        if {([array size tmm_auth_http_sids] &gt; 1) and \
            ((not [info exists tmm_auth_http_sufficient_successes] or \
             ($tmm_auth_http_successes &gt;= $tmm_auth_http_sufficient_successes)))} {
             Abort the other auth sessions
            foreach {type sid} [array get tmm_auth_http_sids] {
                unset tmm_auth_http_sids($type)
                if {($type ne "ldap") and ($sid != -1)} {
                    AUTH::abort $sid
                    incr tmm_auth_http_collect_count -1
                }
            }
        }
         If this is the last outstanding auth then either
         release or respond to this session
        incr tmm_auth_http_collect_count -1
        if {$tmm_auth_http_collect_count == 0} {
            unset tmm_auth_http_collect_count
            if {[AUTH::status] == 0} {
                HTTP::release
            } else {
                HTTP::respond 401
            }
        }
    }
So what I want to add to this is the "add a session when the user logs in, and check to see if a session already exist before querying LDAP" behavior from the CodeShare iRule I mentioned earlier.  (http://devcentral.f5.com/wiki/default.aspx/iRules/ClientAuthUsingHTMLForms.html) I just really have NO IDEA how to do this.  I am decent at HTTP iRules but this authentication is over my head.   Is this possible?
Thanks again,
Joe

hooleylist · Answer

Hi Joe, 
  
 If that rule is working for you and you just want to track successful auth attempts in the session table, you can try something like this.  Note that I haven't tested this--I just looked for the places where the AUTH::status result was checked and added the key to the session table.   
  
 I think you'd want to prevent a request which doesn't have the header set with a value.  I added a 401 response for this case, but you might want to change this.  Else, if there is a key, it's checked against the session table to see if auth has already been successful.

when HTTP_REQUEST {

Get the key value from the header
   set ldsdevkey [HTTP::header value LDSDEVKEY]

Do something if there is no value for the key?
   if {$ldsdevkey eq ""}{
      HTTP::respond 401
      return
   }

Check if there is an existing session for the key
   if {[session lookup uie $ldsdevkey] ne ""}{

There is an existing session for this key, so don't do any auth for this request
      return
   }
   if {not [info exists tmm_auth_http_sids(ldap)]} {
      set tmm_auth_sid [AUTH::start pam default_ldap]
      set tmm_auth_http_sids(ldap) $tmm_auth_sid
      if {[info exists tmm_auth_subscription]} {
         AUTH::subscribe $tmm_auth_sid
      }
   } else {
      set tmm_auth_sid $tmm_auth_http_sids(ldap)
   }
   AUTH::username_credential $tmm_auth_sid $ldsdevkey
   AUTH::password_credential $tmm_auth_sid $ldsdevkey
   AUTH::authenticate $tmm_auth_sid

if {not [info exists tmm_auth_http_collect_count]} {
      HTTP::collect
      set tmm_auth_http_successes 0
      set tmm_auth_http_collect_count 1
   } else {
      incr tmm_auth_http_collect_count
   }
}
when AUTH_RESULT {
   if {not [info exists tmm_auth_http_sids(ldap)] or \
      ($tmm_auth_http_sids(ldap) != [AUTH::last_event_session_id]) or \
      (not [info exists tmm_auth_http_collect_count])} {
      return
   }
   if {[AUTH::status] == 0} {

Auth was successful, so add the key to the session table
       The value doesn't matter, so use anything
      session add uie $ldsdevkey 1 1800

incr tmm_auth_http_successes
   }
    If multiple auth sessions are pending and
    one failure results in termination and this is a failure
    or enough successes have now occurred
   if {([array size tmm_auth_http_sids] &gt; 1) and \
      ((not [info exists tmm_auth_http_sufficient_successes] or \
       ($tmm_auth_http_successes &gt;= $tmm_auth_http_sufficient_successes)))} {
       Abort the other auth sessions
      foreach {type sid} [array get tmm_auth_http_sids] {
         unset tmm_auth_http_sids($type)
         if {($type ne "ldap") and ($sid != -1)} {
            AUTH::abort $sid
            incr tmm_auth_http_collect_count -1
         }
      }
   }

If this is the last outstanding auth then either
    release or respond to this session
   incr tmm_auth_http_collect_count -1
   if {$tmm_auth_http_collect_count == 0} {
      unset tmm_auth_http_collect_count
      if {[AUTH::status] == 0} {

Auth was successful, so add the key to the session table
          The value doesn't matter, so use anything
         session add uie $ldsdevkey 1 1800

HTTP::release
      } else {
         HTTP::respond 401
      }
   }
}

Aaron

moe_jartin · Answer

Aaron,&nbsp;
&nbsp;Wow!!???!!  Responding to Devcentral Forums at 1 AM??  I really appreciate it.  It looks like your changes to the irule are working perfectly but, I have a couple of questions to complete my testing and validation.  &nbsp;
&nbsp;1. I get a 401 response when either the LDSDEVKEY header is missing or not valid.  Perfect.
&nbsp;2. I do not see any requests to the LDAP server on subsequent request.  Unfortunately I didn't capture the intital request so I didn't see ANY queries.  But when I put the old irule on I see LDAP queries on every request.  So it appears that it is using the local session table.  Is there a way to view the session table?  A bigpipe shell command?  I tried "b conn all show"  but it was not there.  
&nbsp;3. In the line where you add the session, "session add uie $ldsdevkey 1 1800", from the irule wiki, 1800 is the time in seconds that the session will remain in the table.  Is this an absolute timer or an idle timer?&nbsp;
&nbsp;I will continue testing and post the final results.  Thanks again for all your help.&nbsp;
&nbsp;Joe&nbsp;

Forum Discussion

LDAP Authentication iRule... HELP

7 Replies

Recent Discussions

Need advise to setup a policy on F5

Web acceleration

What are the different phases in DevOps?

Create a CSR and Key using the BigIP LTM GUI when renewing a certificate

F5 Rseries HA

Related Content

Authentication: When LDAP fails

LDAP vs Active Directory Authentication performance.

APM LDAP auth agent ldap bind works but search fails..

IRule to manipulate an LDAP binds.

AD Authentication using multiple user attributes