Forum Discussion

Manuel_57458's avatar
Manuel_57458
Icon for Nimbostratus rankNimbostratus
Nov 13, 2012

F5 iRule for App/URL access with LDAP query

I am trying to write a iRule for Http/URL access with LDAP query for example

 

User A get access to Application/URL A, User B get access to Application/URL B, User C get access to Application/URL A + B and

 

User A would get access to Application B but he get just access to App/URL A (redirect), before the User get the access it shoult be check the

 

LDAP user credentials but the user shouldn't get a access mask or portal, it should check the LDAP user credentials form the local user at the

 

machine. What is the best way to realise this? I need examples for a solution please. Maybe someone has done this before. Just to explain, I

 

wanna check the user which has the access on a machine this user is in a specific ldap group and get just access to specific application or

 

URLs. In the iRule must well-defined the user group which get the access to a App/URL and the URL or Application address as well to compare

 

with the LDAP an the client. I have no idea how can I do this.

 

application delivery
dev
devops
iRules

5 Replies

Sort By
  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Nov 13, 2012
    Apologies but could you reword your requirements, perhaps break them down a bit more please? Right now I'm struggling to understand them.
  • Manuel_57458's avatar
    Manuel_57458
    Icon for Nimbostratus rankNimbostratus
    Nov 14, 2012
    Posted By What Lies Beneath on 11/13/2012 11:26 AM

     

    Apologies but could you reword your requirements, perhaps break them down a bit more please? Right now I'm struggling to understand them.

     

    Okay, we have 5 intranet server with intranet websites and some webapplication on this servers first step is just to load balance this servers. Then the webapplication or URLs (behind URLs are webapps or executables) should just user reach in a particular LDAP user group for example user A (john doe, pw:***) is in the LDAP usergroup webshop and user A should just reach the URL with the webshop behind because the the user is in the LDAP usergroup webshop. Other users from a usergroup like logistics shouldn't reach the webshop URL. One nice to have is some webapps need login data (username, password) from the user is it possible to read the login data from usermachine and after that to do somthing like a SSO (singlesignon) but important thing in this topic is to check, is the user in this LDAP usergroup and just the user in this group get the access to a particular webapp or URL. I hope you understand what I want to implement.

     

  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Nov 14, 2012
    OK, understood now =]

     

     

    I don't see any reason why this shouldn't be possible if you're running v11 LTM. You can use an LDAP profile and configuration to retrieve the data and an iRule to direct the traffic as appropriate. Unfortunately I don't have the experience to provide a low level configuration for you as well. Hopefully another member (Say, Kevin Stewart) can jump in and provide some further detail.
  • Manuel_57458's avatar
    Manuel_57458
    Icon for Nimbostratus rankNimbostratus
    Nov 19, 2012
    Posted By What Lies Beneath on 11/14/2012 05:20 AM

     

    OK, understood now =]

     

     

    I don't see any reason why this shouldn't be possible if you're running v11 LTM. You can use an LDAP profile and configuration to retrieve the data and an iRule to direct the traffic as appropriate. Unfortunately I don't have the experience to provide a low level configuration for you as well. Hopefully another member (Say, Kevin Stewart) can jump in and provide some further detail.

    OKAY thats sounds nice but how can I activate this guys to help me here ? could you tell this guys may question I think you know all this guys ;)

     

    THX.

     

     

  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Nov 19, 2012
    Your best bet to get Kevin's attention (seeing as he doesn't appear to have spotted this) is to pose your question again but in the Security forum.