Multiple Auth

We are interested in a similar configuration, but are using 3 LDAP registries. This iRule looks like it can work for us as well. However, the doc on creating virtual servers indicates there is 1 authentication profile with a virtual server. Any of these registries can be used to authenticate to any of our servers behind the BigIP. We need the virtual servers to have access to all the authentication profiles. Is this possible? We don't have the hardware yet, this question is based on the doc. Thanks.

Your case is bit different from the original purpose of this rule. Because your ldap servers are equivalent to each other, you can just use the authentication facility shiped with bigip as it is, though you can create a ldap virtual server in bigip with three of your ldap registries as server side, and use that virtual server in your ldap auth setting.

 

 

Let us know if you have questions.

Actually, our servers are different. Once we got a hold of the box, we found we could use multiple authentication profiles for a single virtual server. This worked for us.

I am trying to modify the existing post for ldap only authentication. It will be used in a dual auth rule with SSL. I would like to see what the results are for this instead of sys auth ldap I am currently using. I am having problems with the modified rule included below. The big ip will not contact the ldap server until I click stop in the browser toolbar. Could somebody tell me what I have done incorrectly?

 

 

when CLIENT_ACCEPTED {

 

set ldap_authed 0

 

 

}

 

when HTTP_REQUEST {

 

set username [HTTP::username]

 

set password [HTTP::password]

 

set asid_ldap [AUTH::start pam default_ldap]

 

AUTH::username_credential $asid_ldap $username

 

AUTH::password_credential $asid_ldap $password

 

AUTH::authenticate $asid_ldap

 

HTTP::collect

 

}

 

when AUTH_SUCCESS {

 

if {$asid_ldap eq [AUTH::last_event_session_id]} {

 

set ldap_authed 1

 

}

 

 

if {$ldap_authed == 1} {

 

HTTP::release

 

}

 

 

}

 

when AUTH_FAILURE {

 

if {$asid_ldap eq [AUTH::last_event_session_id] } {

 

HTTP::respond 401

 

}

 

}

 

when AUTH_WANTCREDENTIAL {

 

if {$asid_ldap eq [AUTH::last_event_session_id] } {

 

HTTP::respond 401

 

}

 

}

 

when AUTH_ERROR {

 

if {$asid_ldap eq [AUTH::last_event_session_id] } {

 

HTTP::respond 401

 

}

 

}

 

 

Thank you for your help,

 

Rob

This rule itself looks fine. What is the other part of your dual auth rule ?

I separated the rule so that it stood by itself. I have that attached to an auth profile (ldap), but nothing else. Like I stated before, the Big IP doesn't try to contact the LDAP server until I hit stop on the browser toolbar. Any thoughts? Could I have done something by playing around with the Irules that makes it behave this way?

 

 

Thank you,

 

Rob

For auth via LDAP and SSL, they are done in different stage, actually you don't have to modify these rules. Just use the default auth profiles.

I am trying to create a rule that challenges a user for a client cert or allows them to use LDAP as a secondary means. I've been using the following subject post for that:

 

Subject: Authenticate customer using SSL client certificate or LDAP

 

http://devcentral.f5.com/Default.aspx?tabid=28&forumid=5&postid=6260&view=topic

 

 

I also need to include ocsp at some point so I was looking for ways to simplify the LDAP Auth section.

 

 

Beyond that, I let it go instead of stopping the browser and have seen it take up to 5 minutes or longer to authenticate. I am trying to find out what is going on, however there is nothing that shows up in the syslog. In addition, I can perform a b load and do not see any issues unlike the time I used the regsub command. Do you know of a way to find out what might be going on?

 

 

Thank you for your help,

 

Rob

I reloaded 9.1.0 Build 6.2 and was able to successfully use the rule below. I switched back to a system running 9.2.2 Build 76.6 and am experiencing problems. The configs are near identical on each F5 (the 9.2.2 system has more virtual servers as the 9.1.0 only has the ldap stuff). The 9.2.2 system "loads" the page 5 minutes after entering the credentials. The 9.1.0 system "loads" the page almost immediately after the ldap credentials are entered. Have you experienced the same type of problems? Could you confirm this? Is there a newer version of the os?

 

 

Thank you,

 

Rob

 

 

 

when CLIENT_ACCEPTED {

 

set ldap_authed 0

 

 

}

 

when HTTP_REQUEST {

 

set username [HTTP::username]

 

set password [HTTP::password]

 

set asid_ldap [AUTH::start pam default_ldap]

 

AUTH::username_credential $asid_ldap $username

 

AUTH::password_credential $asid_ldap $password

 

AUTH::authenticate $asid_ldap

 

HTTP::collect

 

}

 

when AUTH_SUCCESS {

 

if {$asid_ldap eq [AUTH::last_event_session_id]} {

 

set ldap_authed 1

 

}

 

 

if {$ldap_authed == 1} {

 

log local0. "entering auth success"

 

HTTP::release

 

}

 

}

 

when AUTH_FAILURE {

 

if {$asid_ldap eq [AUTH::last_event_session_id] } {

 

log local0. "entering auth failure"

 

HTTP::respond 302 Location "http://x.x.x.x"

 

}

 

}

 

when AUTH_WANTCREDENTIAL {

 

if {$asid_ldap eq [AUTH::last_event_session_id] } {

 

log local0. "entering auth want credential"

 

HTTP::respond 401

 

}

 

}

 

when AUTH_ERROR {

 

if {$asid_ldap eq [AUTH::last_event_session_id] } {

 

log local0. "entering auth error"

 

HTTP::respond 401

 

}

 

}