iRULE Help with LDAP, HTTP Cookie, OCSP, etc...
I am trying to create an iRULE that does certain things.
1. I want to verify that an X.509 Cert exists and collect the CN= value from the cert
2. I want to look at a specific pool of servers and determine if they are available, if not send a redirect for another URL
3. Utilize the CAC CN= value gathered above to the query an LDAP VIP for a value
4. Insert the LDAP Value into a cookie
5. Pass the request to a pool based on the value of the uri string
Here is some preliminary code that I am working from. If anyone has any thoughts on the LDAP section or an idea on how to better organize this, please let me know. Thanks, all advice is welcome.
Here is what we are trying to do:
1. Verify X.509 Cert exists and collect CN= value
2. Sends a 302 Redirect (pointing at COOP VIP) response to Client Browser if Pool is not available
3. Utilize CAC CN={Subject} and LDAP VIP for LDAP Query – Returns Attribute
4. Creates Cookie USERCOOKIE and inserts DN={ldap Attribute}
5. Performs URI based Pool Mapping
Begin iRULE
when CLIENTSSL_CLIENTCERT {
Step 1 Chevk for X.509 Cert
if {[SSL::cert 0] eq ""}{
Reset the connection
reject
} else {
Example Subject CN: CN=Lastname.Firstname.Middlename.10digitnumber, OU=Somevalue, OU=XYZ, O=U.S. Government, C=US
set subject_CN [X509::subject [SSL::cert 0]]
log "Client Certificate Received: $subject_cn"
Check if the client certificate contains the correct DN from the list
if {($subject_CN contains $::mil) } {
Accept the client cert
log "Client Certificate Accepted: $subject_CN "
} else {
log "No Matching Client Certificate Was Found Using: $subject_CN "
reject
}
}
}
End Step 1
when HTTP_REQUEST {
Step 2 Checks Status of Pool Members and sends redirect if none are available
if { [active_members [LB::server pool]] == 0 } {
HTTP::redirect "http://SOMEVIP
}
Step 3
LDAP Query
Query {LDAP VIP} ldapsearch -v -h `hostname` -p 389 -D "cn=adminuser" -w "adminpassword" -b "" -s sub uid={firstname.middleinitial.lastname}otableval
Response: This is what will be returned
ldapsearch: started Fri Jun 8 19:28:13 2012
ldap_init( udea8026v032, 389 )
Need to set a variable called subjectDN to the highlighted text above
Step 4
Check if cookie exists in request
if { [HTTP::cookie exists "USERCOOKIE"] } {
log " $subject_CN has USERCOOKIE"
} else {
HTTP::cookie insert name "USERCOOKIE" value [HTTP::cookie value "$subject_DN "]
log " $subject_CN added USERCOOKIE"
}
Step 5 Makes Pool Selection based on URI
Forces URI to lower case
if { [string tolower [HTTP::path]] equals "/OCSURISTRING" } {
pool OCSPOOLNAME
}
else {
pool EBSPOOLNAME
}
}
}
Logs Server Connections
when SERVER_CONNECTED {
log local0. "User $subject_CN connected from [IP::client_addr]:[TCP::client_port] to server: [IP::server_addr]:[TCP::server_port] established."
}