Forum Discussion
Moe_Jartin
May 27, 2010Cirrus
OK, apparently I was very confused. Originally, I had tried the iRule mentioned above but never got it to work. Sorry, I was working on this a while ago and then just came back to it and forgot what I had done.
What I DO have working is an altered version of the built-in _sys_auth_ldap iRule:
when HTTP_REQUEST {
set ldsdevkey [HTTP::header value LDSDEVKEY]
if {not [info exists tmm_auth_http_sids(ldap)]} {
set tmm_auth_sid [AUTH::start pam default_ldap]
set tmm_auth_http_sids(ldap) $tmm_auth_sid
if {[info exists tmm_auth_subscription]} {
AUTH::subscribe $tmm_auth_sid
}
} else {
set tmm_auth_sid $tmm_auth_http_sids(ldap)
}
AUTH::username_credential $tmm_auth_sid $ldsdevkey
AUTH::password_credential $tmm_auth_sid $ldsdevkey
AUTH::authenticate $tmm_auth_sid
if {not [info exists tmm_auth_http_collect_count]} {
HTTP::collect
set tmm_auth_http_successes 0
set tmm_auth_http_collect_count 1
} else {
incr tmm_auth_http_collect_count
}
}
when AUTH_RESULT {
if {not [info exists tmm_auth_http_sids(ldap)] or \
($tmm_auth_http_sids(ldap) != [AUTH::last_event_session_id]) or \
(not [info exists tmm_auth_http_collect_count])} {
return
}
if {[AUTH::status] == 0} {
incr tmm_auth_http_successes
}
If multiple auth sessions are pending and
one failure results in termination and this is a failure
or enough successes have now occurred
if {([array size tmm_auth_http_sids] > 1) and \
((not [info exists tmm_auth_http_sufficient_successes] or \
($tmm_auth_http_successes >= $tmm_auth_http_sufficient_successes)))} {
Abort the other auth sessions
foreach {type sid} [array get tmm_auth_http_sids] {
unset tmm_auth_http_sids($type)
if {($type ne "ldap") and ($sid != -1)} {
AUTH::abort $sid
incr tmm_auth_http_collect_count -1
}
}
}
If this is the last outstanding auth then either
release or respond to this session
incr tmm_auth_http_collect_count -1
if {$tmm_auth_http_collect_count == 0} {
unset tmm_auth_http_collect_count
if {[AUTH::status] == 0} {
HTTP::release
} else {
HTTP::respond 401
}
}
}
So what I want to add to this is the "add a session when the user logs in, and check to see if a session already exist before querying LDAP" behavior from the CodeShare iRule I mentioned earlier. (http://devcentral.f5.com/wiki/default.aspx/iRules/ClientAuthUsingHTMLForms.html) I just really have NO IDEA how to do this. I am decent at HTTP iRules but this authentication is over my head. Is this possible?
Thanks again,
Joe