Forum Discussion

TimRiker's avatar
TimRiker
Icon for Cirrocumulus rankCirrocumulus
Dec 13, 2022

APM LDAP by path

I'm trying to figure out a means to allow different LDAP query limits for different paths on the same server. https://example.com/italyonly/ - co=it https://example.com/groupFoo/ user in in group=...
devops
security
TimRiker's avatar
TimRiker
Icon for Cirrocumulus rankCirrocumulus
Dec 14, 2022

I added this in my iRule.

ACCESS::session data set session.ldapsearch "\\66\\69\\65\\6C\\64\\3D\\2A"
catch {log local0. "sls=[ACCESS::session data get session.ldapsearch]"}

Output:

2022-12-14T11:20:24.600-07:00 <f5> info tmm1[12587]: Rule /Common/<vip> <ACCESS_POLICY_AGENT_EVENT>: sls=\66\69\65\6C\64\3D\2A

however, I get this:

2022-12-14T11:20:25.517-07:00 <f5> err apmd[5091]: 01490235:3: /Common/<access policy>:Common:6c31ab75: LDAP Module: Failed to make ldap_search in '<search dn>' with filter '(&(<user filter>)(\5c66\5c69\5c65\5c6C\5c64\5c3D\5c2A))' and scope '2'. Bad search filter.

The entries in <> are redacted. The "\5c66\5c69\5c65\5c6C\5c64\5c3D\5c2A" here is the search, which, as you can see, is still expanded from "\66\69\65\6C\64\3D\2A". So escaping it in the iRule and session variable, means it gets double-escaped in the ldap search.

I rebooted the F5 and failed it back to primary before running this test. The db entry is still set:

# tmsh list sys db apm.ldap.autoescape one-line
sys db apm.ldap.autoescape { value "disable" }

redacted details:

# tmsh list apm policy agent aaa-ldap /Common/<policy>_act_ldap_query_ag
apm policy agent aaa-ldap <policy>_act_ldap_query_ag {
    filter "(&(<id>=%{session.oauth.client.last.id_token.<idname>})(%{session.ldapsearch}))"
    search-dn <searchdn>
    server <ldap>
    show-extended-error true
    type query
}

 Thoughts?

TimRiker's avatar
TimRiker
Icon for Cirrocumulus rankCirrocumulus
Dec 14, 2022

Putting the entire search in via the irule and setting SearchFilter to %{session.ldapsearch} also gets escaped. Using this set:

ACCESS::session data set session.ldapsearch "(&(<id>=[ACCESS::session data get session.oauth.client.last.id_token.<id name>])(field=*))"
catch {log local0. "sls=[ACCESS::session data get session.ldapsearch]"}

Logs correctly:

2022-12-14T11:38:57.390-07:00 <f5> info tmm[12587]: Rule /Common/<rule> <ACCESS_POLICY_AGENT_EVENT>: sls=(&(<id>=<user id>)(field=*))

Redacted output:

2022-12-14T11:38:57.400-07:00 <f5> err apmd[5091]: 01490235:3: /Common/<policy>:Common:1bda35bc: LDAP Module: Failed to make ldap_search in '<searchdn>' with filter '\28&\28<id>=<user id>\29\28field=\2a\29\29' and scope '2'. Bad search filter.