ltm rule command AUTH subscribe
iRule(1) BIG-IP TMSH Manual iRule(1)
AUTH::subscribe
Registers interest in auth query results.
SYNOPSIS
AUTH::subscribe AUTH_ID
DESCRIPTION
AUTH::subscribe registers interest in auth query results.
AUTH::response_data will only return data from query results for which
a subscription has been made prior to calling AUTH::authenticate. As a
convenience when using the built-in system auth rules, these rules will
call AUTH::subscribe if the variable tmm_auth_subscription is set.
Instead of calling AUTH::subscribe directly, we recommend setting
tmm_auth_subscription to "*" when using the built-in system auth rules
in the interest of forward-compatibility. Also see AUTH::unsubscribe.
AUTH::subscribe
* Registers interest in auth query results.
RETURN VALUE
VALID DURING
EXAMPLES
The rule below demonstrates how multi-pass auth might be performed.
Additional error checking of the group name would be necessary in a
production-ready rule.
rule multi_pass_auth {
when HTTP_REQUEST {
if {not [info exists auth_pass]} {
set auth_sid [AUTH::start pam auth_method_user]
AUTH::subscribe $auth_sid
set auth_username [HTTP::username]
set auth_password [HTTP::password]
AUTH::username_credential $auth_sid $auth_username
AUTH::password_credential $auth_sid $auth_password
AUTH::authenticate $auth_sid
set auth_pass 1
}
}
when AUTH_RESULT {
if {[AUTH::status] != 1} {
if {$auth_pass == 1} {
HTTP::respond 401
} else {
reject
}
}
if {$auth_pass == 1} {
array set auth_response_data [AUTH::response_data]
set auth_group [lindex [array get auth_response_data ldap
AUTH::abort $auth_sid
set auth_sid [AUTH::start pam $auth_group]
AUTH::username_credential $auth_sid $auth_username
AUTH::password_credential $auth_sid $auth_password
AUTH::unsubscribe $auth_sid
AUTH::authenticate $auth_sid
set auth_pass 2
} else {
HTTP::release
set auth_pass 3
}
}
}
HINTS
SEE ALSO
CHANGE LOG
@BIGIP-9.0.0 --First introduced the command.
BIG-IP 2017-01-31 iRule(1)