Forum Discussion

gpoverland's avatar
gpoverland
Icon for Nimbostratus rankNimbostratus
Jun 18, 2012

iRULE Help with LDAP, HTTP Cookie, OCSP, etc...

Ok, In all fairness, this one is beyond my current knowledge of iRULE writting, so if your feeling generous, please give it a go. I am will will to try, so if you have suggestions, I'm all ears.

 

 

I am trying to create an iRULE that does certain things.

 

 

1. I want to verify that an X.509 Cert exists and collect the CN= value from the cert

 

2. I want to look at a specific pool of servers and determine if they are available, if not send a redirect for another URL

 

3. Utilize the CAC CN= value gathered above to the query an LDAP VIP for a value

 

4. Insert the LDAP Value into a cookie

 

5. Pass the request to a pool based on the value of the uri string

 

 

Here is some preliminary code that I am working from. If anyone has any thoughts on the LDAP section or an idea on how to better organize this, please let me know. Thanks, all advice is welcome.

 

 

 

 

Here is what we are trying to do:

 

1. Verify X.509 Cert exists and collect CN= value

 

2. Sends a 302 Redirect (pointing at COOP VIP) response to Client Browser if Pool is not available

 

3. Utilize CAC CN={Subject} and LDAP VIP for LDAP Query – Returns Attribute

 

4. Creates Cookie USERCOOKIE and inserts DN={ldap Attribute}

 

5. Performs URI based Pool Mapping

 

 

Begin iRULE

 

 

when CLIENTSSL_CLIENTCERT {

 

Step 1 Chevk for X.509 Cert

 

if {[SSL::cert 0] eq ""}{

 

Reset the connection

 

reject

 

} else {

 

 

Example Subject CN: CN=Lastname.Firstname.Middlename.10digitnumber, OU=Somevalue, OU=XYZ, O=U.S. Government, C=US

 

set subject_CN [X509::subject [SSL::cert 0]]

 

log "Client Certificate Received: $subject_cn"

 

Check if the client certificate contains the correct DN from the list

 

if {($subject_CN contains $::mil) } {

 

Accept the client cert

 

log "Client Certificate Accepted: $subject_CN "

 

} else {

 

log "No Matching Client Certificate Was Found Using: $subject_CN "

 

reject

 

}

 

}

 

}

 

End Step 1

 

 

when HTTP_REQUEST {

 

Step 2 Checks Status of Pool Members and sends redirect if none are available

 

if { [active_members [LB::server pool]] == 0 } {

 

HTTP::redirect "http://SOMEVIP

 

}

 

 

Step 3

 

LDAP Query

 

Query {LDAP VIP} ldapsearch -v -h `hostname` -p 389 -D "cn=adminuser" -w "adminpassword" -b "" -s sub uid={firstname.middleinitial.lastname}otableval

 

Response: This is what will be returned

 

ldapsearch: started Fri Jun 8 19:28:13 2012

 

ldap_init( udea8026v032, 389 )

 

filter pattern: uid=fname.m.lname

 

returning: otableval

 

filter is: (uid=fname.m.lname)

 

version: 1

 

dn: cn=fname.m.lname,cn=users, ou=xyz,ou=abc,ou=tnt,o=something,c=us

 

otableval: fname.m.lname.12324252627

 

1 matches

 

Need to set a variable called subjectDN to the highlighted text above

 

 

 

 

Step 4

 

Check if cookie exists in request

 

   if { [HTTP::cookie exists "USERCOOKIE"] } {
   log " $subject_CN has USERCOOKIE"

} else {

 

  HTTP::cookie insert name "USERCOOKIE" value [HTTP::cookie value "$subject_DN "]

log " $subject_CN added USERCOOKIE"

 

}

 

Step 5 Makes Pool Selection based on URI

 

Forces URI to lower case

 

if { [string tolower [HTTP::path]] equals "/OCSURISTRING" } {
        pool OCSPOOLNAME
   }
   else {
    pool EBSPOOLNAME
    }
}

}

 

 

Logs Server Connections

 

when SERVER_CONNECTED {

 

log local0. "User $subject_CN connected from [IP::client_addr]:[TCP::client_port] to server: [IP::server_addr]:[TCP::server_port] established."

 

}

 

 

 

application delivery
dev
devops
iRules
No RepliesBe the first to reply