Forum Discussion
Scott_Larson
Mar 14, 2007Nimbostratus
What do you mean by side channel? Isn't the same sort of "side channel" created when you use BIGIP's LDAP authentication (which is really just an LDAP bind)? If so, then it should be a snap to support ldap searches (with configurable search filter and return attributes) in addition to ldap binds as the means by which BIGIP determines authentication success or failure...
For instance (pseudo code):
cert auth:
set ldapCertSubjectDNAttribute = "certSubjDN"
set authuser = (certificate's subject dn gotten during SSL handshake as shown in other iRule samples)
set searchFilter = "($ldapCertSubjectDNAttribute=$authuser)"
set returnAttributes = uid, usertype, useraccess
the holy grail:
set ldap_results = ldap_search $searchFilter $returnAttributes
then you could iterate thru ldap results and extract the uid, usertype, and useraccess values