Forum Discussion

William_Them_99's avatar
William_Them_99
Icon for Nimbostratus rankNimbostratus
Jun 04, 2005

Multiple LDAP Authentication Profiles?

 

We are interested in configuring authentication profiles that use LDAP as a means to verify passed-in attributes from client certificates. It will be very possible, though, that we will need to be able to search multiple LDAP servers (or at least multiple instances via different ports on the same server) to authenticate users.

 

 

From the LDAP authentication profile config, it looks like you can have multiple servers/ports by just adding them to the list. It seems to me, though, that all of these servers need to have the same tree structure in order to work, as you can only declare one user root (e.g. ou=our_ou,o=our_company.) We will probably need one virtual server to be able to search multiple LDAP servers that have different tree structures.

 

 

Is it possible to do this by applying two different LDAP authentication profiles to one virtual server? Or is this not possible? Any suggestions?

 

 

Thanks for the help - this is one of our key feature needs in the eval.
application delivery
dev
devops
iRules

2 Replies

Sort By
  • Joe_Pruitt's avatar
    Joe_Pruitt
    Jun 06, 2005
    Have you contacted F5 Product Technical Support? DevCentral is run by the Development staff to help out with building iRules and iControl applications. To me, this looks like a product configuration question. If so, then F5 Product Support is much better suited to help you out.

     

     

    If you have a specific question related to iRules, if you can give it a first cut, and then post it up here, we can try to help you out.

     

     

    -Joe
  • Tao_Liu_90341's avatar
    Tao_Liu_90341
    Historic F5 Account
    Jun 08, 2005
    That is possible, but you need to write your own auth rules for these

    two auth profiles. 

      
  rule profile_rule1 {  
      when CLIENT_ACCEPTED {  
          set hold 0  
          set success 0  
          set fail 0  
          set tmm_auth_ssl_cc_ldap_sid1 [AUTH::start pam profile_name1]  
      }  
      when CLIENTSSL_CLIENTCERT {  
          if {$success == 0} {  
            AUTH::cert_credential $tmm_auth_ssl_cc_ldap_sid1 [SSL::cert 0]  
            AUTH::authenticate $tmm_auth_ssl_cc_ldap_sid1  
            if {$hold == 0} {  
              SSL::handshake hold  
              incr hold  
            }  
          }  
      }  
      when AUTH_SUCCESS {  
          if {$tmm_auth_ssl_cc_ldap_sid1 eq [AUTH::last_event_session_id]} {  
              incr success  
              if {$success == 1} {  
                SSL::handshake resume  
              }  
          }  
      }  
      when AUTH_FAILURE {  
          if {$tmm_auth_ssl_cc_ldap_sid1 eq [AUTH::last_event_session_id]} {  
              incr fail  
              if {$fail == 2} {  
                reject  
              }  
          }  
      }  
      when AUTH_WANTCREDENTIAL {  
          if {$tmm_auth_ssl_cc_ldap_sid1 eq [AUTH::last_event_session_id]} {  
              reject  
          }  
      }  
      when AUTH_ERROR {  
          if {$tmm_auth_ssl_cc_ldap_sid1 eq [AUTH::last_event_session_id]} {  
              reject  
          }  
      }  
  }

    In the second rule, it looks the same, just replace "tmm_auth_ssl_cc_ldap_sid1" and "profile_name1" respectively.