For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

E_Shanahorn_185's avatar
E_Shanahorn_185
Icon for Nimbostratus rankNimbostratus
Jun 02, 2016

can you query an ldap group for its members in an irule

I'm trying to build the logic into an iRule to take an action when CLIENT_ACCEPTED = true for a member of an AD / LDAP group?

 

BIG-IP
iRules
security

3 Replies

  • THi's avatar
    THi
    Icon for Nimbostratus rankNimbostratus
    Jun 03, 2016

    If you have APM provisioned/licensed, you could fairly easily build an access policy with VPE visual policy editor to check the machine info, make an LDAP or AD query for group membership and then assign proper pool resource based on the query result, possibly without any iRule involved. Is the client "human" or machine (ie client application) in your case?

     

  • Nikolay_Matveev's avatar
    Nikolay_Matveev
    Icon for Nimbostratus rankNimbostratus
    Jun 03, 2016

    If I understood correctly the author of the question said that he wanted to make a load balancing decision based on AD group membership of the connecting computer and do so on CLIENT_ACCEPTED which happens before the APM policy is invoked...

     

    If low performance is not a big issue for the author then, I guess, he could find out computer name via [RESOLV::lookup] and then run a sideband AD/LDAP query using this name and ACCESS::policy evaluate. It seems possible...

     

    The obvious pre-requisites would be the presence of DNS PTR-records for connecting computers and APM module licensed on the BigIP box.