For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

TimRiker's avatar
TimRiker
Icon for Cirrocumulus rankCirrocumulus
Dec 13, 2022

APM LDAP by path

I'm trying to figure out a means to allow different LDAP query limits for different paths on the same server. https://example.com/italyonly/ - co=it https://example.com/groupFoo/ user in in group=...
devops
security
Lucas_Thompson's avatar
Lucas_Thompson
Icon for Employee rankEmployee
Dec 14, 2022

There is a BIG-IP sys db variable that controls this escaping behavior of APM session variables sent to an LDAP query function in APM: apm.ldap.autoescape

To change it from the CLI,

tmsh modify sys db apm.ldap.autoescape value disable
tmsh save sys db

 

TimRiker's avatar
TimRiker
Icon for Cirrocumulus rankCirrocumulus
Dec 14, 2022

That looks exactly like what I want, but unfortunately it does not seem to work.

Is there anything else I need to do? With this changed and saved, restarted tmm, failed over to another node, failed back, db entry is "disabled" as shown:

tmsh list sys db apm.ldap.autoescape one-line
sys db apm.ldap.autoescape { value "disable" }

And SearchFilter set to something like:

(&(cn=%{session.oauth.client.last.id_token.cn})(%{session.ldapsearch}))

I still get errors like:

2022-12-13T20:33:35.393-07:00 xxxx warning apmd[8859]: 01490233:4: /Common/access_xxxx:Common:895b427c: LDAP Module: Cannot find any object in search DN 'ou=people,o=org' matching filter '(&(cn=something)(field=\2a))'

when session.ldapsearch = "field=*"

Running BIG-IP 15.1.5.1