For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

SysTopher's avatar
SysTopher
Icon for Nimbostratus rankNimbostratus
Jan 20, 2016

F5 LTM virtual server with dual LDAP sources using LDAP Proxy iRule

Hey everyone,   I'm looking to setup an LDAP virtual servers, but I need it to be able to check against two different domain LDAP sources. We have two domains and users who need to access an app...
application delivery
iRules
LTM
Kai_Wilke's avatar
Kai_Wilke
Icon for MVP rankMVP
Jan 22, 2016

Hi SysTopher,

sounds promissing so far...

regarding 1.) you may use a wireshark capture to find out. A simple Bind always contains clear text credentials. So if you see your username password on LDAP(without S) on port 389, then it would be a "simple" Bind authentication...

regarding 2.) If the usernames do have a fixed notation, then it could be possible to just parse the initial bind request for certain domain strings and then issue a [pool] command to select the LDAP instance. In this case you dont even have to dig into the LDAP opcodes. It would then require a very simple iRule then to pull of the trick...(I guess less than 20 lines)

regarding 3.) is it really pure authentication (aka. validating the user credentials) or do you need to resolve group memberships (aka. authorizing the users)? If the later is the case, are the different LDAPs sharing an unified base name for the lookups or at least having an identical Base-DN lenght? I'm asking since I duno, if LDAP opcodes are always taking care of the field lenght or if LDAP uses fixed limiters here and there. I'm just preparing for the worst... 😉

regarding 4.) its not that important for the final solution. Pure LDAP is just easier to analyse... ;-D

Cheers, Kai