Quering LDAP AUTH information

You'd do this by using the TCP::collect command and the TCP::payload variable to determine whether or not the desired information is present.

 

 

Here's a good example: Click here

 

 

Hope this helps,

 

-Colin

I think Colin might have misunderstood your question.

 

 

Unfortunately, we use PAM for the backend of the auth engine and it only returns a boolean (authorized/not authorized). We have been looking at ways to allow querying a directory service for specific attributes, but nothing is currently planned for a release.

 

 

Sorry.

 

What do you mean by side channel? Isn't the same sort of "side channel" created when you use BIGIP's LDAP authentication (which is really just an LDAP bind)? If so, then it should be a snap to support ldap searches (with configurable search filter and return attributes) in addition to ldap binds as the means by which BIGIP determines authentication success or failure...

 

 

For instance (pseudo code):

 

cert auth:

 

set ldapCertSubjectDNAttribute = "certSubjDN"

 

set authuser = (certificate's subject dn gotten during SSL handshake as shown in other iRule samples)

 

set searchFilter = "($ldapCertSubjectDNAttribute=$authuser)"

 

set returnAttributes = uid, usertype, useraccess

 

 

the holy grail:

 

set ldap_results = ldap_search $searchFilter $returnAttributes

 

 

then you could iterate thru ldap results and extract the uid, usertype, and useraccess values