iRule for knowing the user

Question

Hi,
&nbsp;     Can a LTM “know” – which user a request is coming from? It should know because it is an Application Level Proxy.&nbsp;
&nbsp;         Can this user information be captured? Based on the user information can an AD group attribute be retrieved? And based on the group retrieved – can a load balancing decision be taken to redirect the user to a higher performance pool – compared to another group that gets redirected to a regular pool?&nbsp;
Moorthy.&nbsp;

moorthy_63564 · Answer

Can a LTM “know” – which user a request is coming from? It should know because it is an Application Level Proxy. 
&nbsp;  
&nbsp; Can this user information be captured? Based on the user information can an AD group attribute be retrieved? And based on the group retrieved – can a load balancing decision be taken to redirect the user to a higher performance pool – compared to another group that gets redirected to a regular pool? &nbsp;

l4l7_53191 · Answer

Moorthy: the answer here is yes - put the APM module onto a BigIP and all of this should be possible. Check with your Field Systems Engineer about what the requirements are and they'll be able to help you sort through any details. To sum it all up though, APM can serve as a generic authentication proxy, and as such it's privy to all of the information you'll be interested in (and much, much more). So you'll fetch the attributes in question, then make some smart decisions on where folks should go based on whatever AD ships back. 
&nbsp;  
&nbsp; Good luck. Oh, and if you don't mind, would you please post back any designs you come up with here? APM is an extremely powerful tool and folks are using it to do some slick stuff. Now we just need to get more of it socialized! 
&nbsp;  
&nbsp; -Matt

moorthy_63564 · Answer

Hi Matt,&nbsp;
            Thanks for your reply,I got your answer,but Here my setup is the LTM is going to loadbalance the Proxy servers. so my requirment is i want to know which user going  through which proxy server. Is it possible? to get that report (without ASM) by iRule.&nbsp;
&nbsp;Moorthy&nbsp;

jrahm · Answer

yes, it is possible.  There are several examples in the codeshare regarding ldap, this one should get you started: 
&nbsp;  
&nbsp; LDAP Proxy: http://devcentral.f5.com/wiki/default.aspx/iRules/LDAPProxy.html Click Here &nbsp;

hooleylist · Answer

You can parse the username (and password) from requests and select a pool based on that information.   
&nbsp;  
&nbsp; But if you want to make an LDAP call to Active Directory to select the pool, you'd need APM or the Advanced Client Auth module and an iRule.  The ACA+iRule option would be a lot more complex compared with APM, as APM gives you a GUI for configuring the lookups.  The iRule would also require more maintenance/regression testing during upgrades of the LTM code.  As Matt suggested, it would be good to get in touch with an F5 SE to discuss your scenario in more detail. 
&nbsp;  
&nbsp; Aaron

Forum Discussion

iRule for knowing the user

5 Replies

Recent Discussions

F5 Rseries HA

Error when running bigip_command Playbook against LTM : Syntax Error: unexpected argument /bin/sh\n

Can iRule be used to perform exception of IPI category based on Geolocation

Can iRule mask the payload content on event logs of security

minimum tmos software version for connect CIS (openshift)

Related Content

F5 Certifications Mega Meta Series: The art of knowing what you need to know

Update your DevCentral user profile

The Three HTTP Routing Patterns You Should Know

Irule for diverting blocked gelocation users to a page

iRules Style Guide