Forum Discussion
NimbostratusClient ip address logging on failed ldap authentication
I need to write an iRule which tracks the authentication failures from Active directory. I was trying to use AUTH_FAILURE event but it gives me error "requires an associated AUTH profile on the virtual server". Is there any other way to get the client IP address. Also http profile is not enabled on the server. Any help is greatly appreciated.
3 Replies
- Kevin_Stewart
Employee
This depends on how you're using LDAP? The AUTH_* events are a remnant of the old Advanced Client Authentication (ACA) module, and are not used on newer platforms. Are you load balancing LDAP? Performing LDAP auth with the Access Policy Manager (APM ) module? LDAP auth to the BIG-IP management GUI?
HamishCirrocumulus
There's an iRule in codeshare that parses out and logs/counts LDAP traffic stats. You could modify that.
Checkout -> LDAP Stats Measure
and also LDAP Measure Reporting
The iRules may be a bit more than you need. It was written when I was doing some work for DB by myself and a consultant from F5. The aim was to measure response times and dispatch connections by user to pools of differing priorities...
The one you want to look at most is LDAP Stats Measure. It's the one that parses out the LDAP messages and should provide the information you require (Along with a bit more). H
- Kevin_Stewart
I would concur on the point that anything you do in iRules is going to be more than you expected. LDAP is a binary protocol, so to be able to see inside an LDAP packet that you're proxying, you have to do some binary manipulation - not fun. Also take a look at this "LDAP proxy" iRule. At the very least it'll give you a sense of the complexity.
https://devcentral.f5.com/wiki/iRules.LDAPProxy.ashx
Of course, depending on your environment, you could potentially offload that LDAP auth to the F5 via the APM module, which would give you much greater visibility into the LDAP process itself.
