set ldap authentication attributes or LTM virtual server authentication profiles attribute in irules

Question

Is there a way in irules to set either one of the following based on the http request path;&nbsp;
the valid group attribute in the LDAP authentication configuration;the configuration attribute in the LDAP authentication profile;the authentication profiles attribute in the virtual server LTM.
We are doing a client certificate authentication using LDAP and we want to check the client's group membership based on the http request path.  For example, uri /web/app1, clients with valid certificates are members of the group userapp1;
uri /web/app2, clients with valid certificates are members of the group userapp2.
We simply do not want to allow clients in the group userapp1 to uri /web/app2, and vice versa.&nbsp;
Not sure if this can be done with irules or what would be a good alternative.  Thanks,&nbsp;

michaelatf5 · Answer

How are you planning to evaluate the Client Certificate group Memberships in LDAP with LTM?  If you are using ACA, I highly recommend that you look at implementing APM, with ACA there is not much life left as far as support goes. https://support.f5.com/kb/en-us/solutions/public/14000/200/sol14263.html&nbsp;
Are you just validating the certificate with OCSP and setting a "group" membership from that?  Or do you plan to validate the Client Certificate against OCSP, then validate the users memberships in LDAP?&nbsp;
If you plan to use ACA, you can find some guidance here:  https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm_configuration_guide_10_0_0/ltm_auth_profiles.html1192487&nbsp;
Since ACA relies heavily on irules, you should be able to modify many of the parameters from there.&nbsp;

rqmang_178521 · Answer

Thanks for the response Michael J. We're in the early stage of implementing the LTM and we were able to fumble through and set-up the client certificate with LDAP authentication. Within the LDAP authentication configuration, we specify a valid group. I'm wondering, if it's all possible with irules, how to change/update the valid group based on the http::request, similar to what we could do with pools. If not, how about the other two attributes I mentioned above. As for the client certificate, it'll be validated against OCSP, then the user group membership in LDAP. We have not explored the APM as of yet and how to accomplish as such. I'm hoping to get some detailed examples/suggestions. Thanks,

Forum Discussion

set ldap authentication attributes or LTM virtual server authentication profiles attribute in irules

2 Replies

Recent Discussions

SMS server with BIGIP

F5 terminal - help to run commands - disk space full

Can iRule be used to perform exception of IPI category based on Geolocation

[ASM] - what is "Browser Challange file" ?

LDAPS and renegotiation

Related Content

F5 BIG-IP Access Policy Manager (APM) - Google Authenticator and Microsoft Authenticator

Doing mTLS Authentication per URL

Distributed caching of authentication requests with NGINX Ingress Controller

Application Programming Interface (API) Authentication types simplified

iControl REST Authentication Token Management