cancel
Showing results for 
Search instead for 
Did you mean: 

Determine pool by LDAP lookup group membership...any help appreciated!

SOLVED
Highlighted
New Contributor

Determine pool by LDAP lookup group membership...any help appreciated!

Hi,

First time using a Stingray and I need some help with the TrafficScript/Authenticator to determine the pool to send a user to.

Have 2 Stingrays in a cluster.

Pool A is a group of VMware View Security servers at Site A. This is the default pool.

Pool B is a group of VMware View Security servers at Site B.

When a user logs in I need to do a LDAP lookup into Active Directory and determine if they are a member of "SiteA" or "SiteB" group.

I have the STM authenticator setup to point to a domain controller on port 389, with an account that has rights to read all user properties.

Currently any user who is entitled to servers at Site A can log in via Pool A, which indicates the basic load balancing etc setup is working.

When I tried implementing the TrafficScript and Authenticator to send a user to Pool A or Pool B based on AD group membership it has no affect and the user still ends up connecting to Pool A.

When I look at the Authenticator tab in the STM, it says that no rules are using my authenticator called "AD", even though it is referenced in my script via $authenticator = "AD";

All I want to do is look up the group membership of a user and determine if they are members of SITEA or SITEB and send to Pool A or Pool B based on the group their in.

Can someone please shed some light on my problem.

Regards

Clint

2 REPLIES
Contributor

Re: Determine pool by LDAP lookup group membership...any help appreciated!

Can you post your Traffic Script?

New Contributor

Re: Determine pool by LDAP lookup group membership...any help appreciated!

Hi,

I got it working... I went to lunch and the brain had a break, then it all came together.

Script is a bit rough, but it does what I want which is just a test at this point.

The reason it didn't seem to be working was because the script wasn't preceded by the below 2 lines, which meant the user never got to the login screen.

$user = '';

$pass = '';

$auth = auth.query( "AD", $user, $pass );

if( $auth['Error'] ) {

   log.error(

      "Error with authenticator 'ldap': " .

      $auth['Error']

   );

   connection.discard();

} else if( !$auth['OK'] ) {

   # Unauthorised

   log.error(

   "403 Permission Denied" .

   $auth['Error']

   );

}

# Allow through members of the 'SITE' group using

# the 'group' attribute returned by the authenticator

if( $auth['group'] != "SITE_A" ) {

   pool.use( "POOL A" );

}

if( $auth['group'] != "SITE_B" ) {

   pool.use( "POOL B" );

}