Irule for Ldap auth based on URL syntax

Hi Red,

 

 

Yes, what you're describing is possible, but it requires the Advanced Client Authentication module. You can find more technical information on AskF5 or on F5's main site (http://www.f5.com/pdf/white-papers/client-authentication-wp.pdf Click here).

 

 

You may or may not have this licensed already. You can check in the GUI under System | License. If not you can check with your account rep about pricing.

 

 

Aaron

Hey Aaron

 

Thanks for that, much appreciated. :D

 

We have the module licensed now and have part of our configuration in place however we have one small problem.

 

We need to authenticate against multiple OU's within a LDAP directory.

 

Clients who try to access uri with a- can be authenticated off our staff OU while uri with a b- can be authenticated off the whole directory.

 

We are having trouble working out how to associate the two different authentication profiles? with the one virtual server, or utilising two authentication profiles within the one iRule.

 

Currently we have it authenticating with the b- using the following Irule, with an authentication profile pointing to the whole ldap tree.

 

How do we make it do this with the a- uri and the specific ldap OU?

 

when CLIENT_ACCEPTED {

 

set tmm_auth_ldap_sid [AUTH::start pam default_ldap]

 

}

 

when HTTP_REQUEST {

 

if {[HTTP::uri] contains "b-"} {

 

AUTH::username_credential $tmm_auth_ldap_sid [HTTP::username]

 

AUTH::password_credential $tmm_auth_ldap_sid [HTTP::password]

 

AUTH::authenticate $tmm_auth_ldap_sid

 

HTTP::collect

 

}

 

}

 

when AUTH_SUCCESS {

 

if {$tmm_auth_ldap_sid eq [AUTH::last_event_session_id]} {

 

HTTP::release

 

}

 

}

 

when AUTH_FAILURE {

 

if {$tmm_auth_ldap_sid eq [AUTH::last_event_session_id]} {

 

HTTP::respond 401

 

}

 

}

 

when AUTH_WANTCREDENTIAL {

 

if {$tmm_auth_ldap_sid eq [AUTH::last_event_session_id]} {

 

HTTP::respond 401

 

}

 

}

 

when AUTH_ERROR {

 

if {$tmm_auth_ldap_sid eq [AUTH::last_event_session_id]} {

 

HTTP::respond 401

 

}

 

}

Thanks for that. For posterity, could you post an anonymised copy of your VIP, profile and iRule config? You can list out the config using 'b virtual VIP_NAME list', 'b profile PROFILE_NAME list', etc.

 

 

Thanks,

 

Aaron

Hi there,

 

 

I'm trying to do something similar. One on my applications accept both "DNIe" and "FNMT" certificates to authenticate users. I need to use two different OCSP Responders to verify the certificates.

 

 

It's possible to switch between two different OCSP Responders? it doesn't matters how (switching the configuration of my autehntication profile, changing the OCSP responder of the configuration, etc.)

 

 

Did you used finally a similar solution, for your problem?

 

 

Hi Stefan,

 

 

Sorry, I'm in the process of building a new home lab and I don't have an AD server running yet. If you don't get an answer here, I suggest opening a case with F5 Support. Hopefully, they'll be able to provide you with an example config. Example iRules aren't officially supported but they might be able to help.

 

 

Else, if you get stuck with that reply back here and I'll see what I can dig up.

 

 

Aaron

Hi Stefan,

 

 

Thanks for posting your solution. I still don't have a working Windows AD VM set up yet!

 

 

By the way, the individual AUTH_ events have been deprecated in favor of a single event, AUTH_RESULT. You might want to update your iRule to use this event instead:

 

 

http://devcentral.f5.com/wiki/default.aspx/iRules/auth_result

 

 

Aaron

Hi again,

 

in the meanwhile we have modified our ldap profile and included now the IP-address of an additional ldap-VS, which itself has the pool with the "real" ldap-servers assign.

 

My question now, is it possible to have an iRule in place for this ldap-VS, which can check the ldap-query and depending on it choose different pools (different ldap servers should be used for test- and prod-environment)? What event should I use? Any examples would be very nice.

 

As we are using the ACA module I'd like to avoid any modifications on all my authentication profiles and iRules (which are a lot) and therefor I had the idea to separate this directly on the ldap-VS, but then I realized that this VS don't have the information of the incoming URI like the HTTP-VS.

 

Thank you!

 

 

Ciao Stefan :)