AUTH::subscribe¶
Description¶
AUTH::subscribe registers interest in auth query results.
AUTH::response_data will only return
data from query results for which a subscription has been made prior
to calling AUTH::authenticate. As a
convenience when using the built-in system auth rules, these rules
will call AUTH::subscribe if the variable
tmm_auth_subscription is set. Instead of calling
AUTH::subscribe directly, we recommend setting
tmm_auth_subscription to “*” when using the built-in system
auth rules in the interest of forward-compatibility. Also see
AUTH::unsubscribe.
Examples¶
The rule below demonstrates how multi-pass auth might be performed.
Additional error checking of the group name would be necessary in a
production-ready rule.
rule multi_pass_auth {
when HTTP_REQUEST {
if {not [info exists auth_pass]} {
set auth_sid [AUTH::start pam auth_method_user]
AUTH::subscribe $auth_sid
set auth_username [HTTP::username]
set auth_password [HTTP::password]
AUTH::username_credential $auth_sid $auth_username
AUTH::password_credential $auth_sid $auth_password
AUTH::authenticate $auth_sid
set auth_pass 1
}
}
when AUTH_RESULT {
if {[AUTH::status] != 1} {
if {$auth_pass == 1} {
HTTP::respond 401
} else {
reject
}
}
if {$auth_pass == 1} {
array set auth_response_data [AUTH::response_data]
set auth_group [lindex [array get auth_response_data ldap<!--:attr:isMemberOf] 1]-->
AUTH::abort $auth_sid
set auth_sid [AUTH::start pam $auth_group]
AUTH::username_credential $auth_sid $auth_username
AUTH::password_credential $auth_sid $auth_password
AUTH::unsubscribe $auth_sid
AUTH::authenticate $auth_sid
set auth_pass 2
} else {
HTTP::release
set auth_pass 3
}
}
}