Moe_Jartin
May 26, 2010Cirrus
LDAP Authentication iRule... HELP
I am trying to write an iRule for an LDAP authentication profile. The irule will take the value of a cookie from every request and use it as the username AND password for which it will then validate against LDAP. I also want it to check to see if an existing session exist and allow the traffic based on the local session rather than querying LDAP for EVERY HTTP request.
I took the Code Share iRule from http://devcentral.f5.com/wiki/default.aspx/iRules/ClientAuthUsingHTMLForms.html and altered it a bit to fit my scenario. I have it working to the point that it is querying LDAP and if the cookie does not exist in the irule or if the cookie value is not valid then acces is denied. The part that is not working is the creation and checking of the local session table. It is querying LDAP for EVERY HTTP request.
There are certainly pieces to this irule that I do not understand so I am looking for help to understand how to create a session in the table and check that to see if a session exist for that user before querying LDAP.
when CLIENT_ACCEPTED {
set forceauth 1
set auth_status 2
set ckname LDSDEVKEY
set ckpass myPassword
set asid [AUTH::start pam default_ldap]
}
when HTTP_REQUEST {
if { [matchclass [HTTP::path] starts_with "/opensso"] } {
Private URI, Auth Required
if { [HTTP::header exists $ckname] } {
set ldsdevkey [HTTP::header value $ckname]
if { not ( $ldsdevkey equals "" ) } {
log local0. "LDSDEVKEY=$ldsdevkey"
retrieve the auth status from the session table
set auth_status [session lookup uie $ldsdevkey]
}
If the auth status is 0 then the user is authenticated
if { $auth_status eq 0 } {
LDSDEVKEY & Session Auth valid
set forceauth 0
}
if {$forceauth eq 1} {
set auth_username $ldsdevkey
set auth_password $ldsdevkey
AUTH::username_credential $asid $auth_username
AUTH::password_credential $asid $auth_password
AUTH::authenticate $asid
HTTP::collect
}
}
}
}
when AUTH_SUCCESS {
if {$asid eq [AUTH::last_event_session_id]} {
Now the user has authenticated lets give them an encrypted cookie with their authID
We'll also add the AUTH::status to a session entry with the authID as the key
We can then re-direct the user to the page they originally asked for
set authStatus [AUTH::status $asid]
session add uie $asid $authStatus 1800
}
}
when AUTH_FAILURE {
if {$asid eq [AUTH::last_event_session_id]} {
HTTP::respond 200 content "Authentication Failed"
}
}
when AUTH_WANTCREDENTIAL {
if {$asid eq [AUTH::last_event_session_id]} {
HTTP::respond 200 content "Authentication Credentials not provided"
}
}
when AUTH_ERROR {
if {$asid eq [AUTH::last_event_session_id]} {
HTTP::respond 200 content "Authentication Error"
}
}