AUTH::unsubscribe¶
Description¶
AUTH::unsubscribe cancels interest in auth query results.
AUTH::response_data will not return
data from query results for which a subscription has been cancelled
before AUTH::authenticate has been
called. Also see AUTH::subscribe.
Examples¶
The rule below demonstrates how multi-pass auth might be performed.
Additional error checking of the group name would be necessary in a
production-ready rule.
rule multi_pass_auth {
when HTTP_REQUEST {
if {not [info exists auth_pass]} {
set auth_sid [AUTH::start pam auth_method_user]
AUTH::subscribe $auth_sid
set auth_username [HTTP::username]
set auth_password [HTTP::password]
AUTH::username_credential $auth_sid $auth_username
AUTH::password_credential $auth_sid $auth_password
AUTH::authenticate $auth_sid
set auth_pass 1
}
}
when AUTH_RESULT {
if {[AUTH::status] != 1} {
if {$auth_pass == 1} {
HTTP::respond 401
} else {
reject
}
}
if {$auth_pass == 1} {
array set auth_response_data [AUTH::response_data]
set auth_group [lindex [array get auth_response_data ldap<!--:attr:isMemberOf] 1]-->
AUTH::abort $auth_sid
set auth_sid [AUTH::start pam $auth_group]
AUTH::username_credential $auth_sid $auth_username
AUTH::password_credential $auth_sid $auth_password
AUTH::unsubscribe $auth_sid
AUTH::authenticate $auth_sid
set auth_pass 2
} else {
HTTP::release
set auth_pass 3
}
}
}