For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

SysTopher's avatar
SysTopher
Icon for Nimbostratus rankNimbostratus
Jan 20, 2016

F5 LTM virtual server with dual LDAP sources using LDAP Proxy iRule

Hey everyone,   I'm looking to setup an LDAP virtual servers, but I need it to be able to check against two different domain LDAP sources. We have two domains and users who need to access an app...
application delivery
iRules
LTM
Kai_Wilke's avatar
Kai_Wilke
Icon for MVP rankMVP
Jan 22, 2016

Hi SysTopher,

Did a quick test in my lab using wireshark, ldap admin and some existing hex replacement iRules.

Here are my results...

  • It seems to be possible to make a simple routing decission on the initial LDAP bind using a well known username suffix/prefix pattern. Its plain ASCII...
  • It seems to be possible to simply hex replace the Base-DN. But just as long as the input an output Base-DN name would have the same length.
  • It seems to be possible to pad as much as needed SPACE characters into the Base-DN translation to maintain the same Base-DN length. (e.g App using "DC=itacs,DC=net" and F5 translating to "DC=itacs, DC=de")
  • It seems to be possible to hex translate just the initial Base-DN search. Well, at least my LDAP client didn't complained that the Base-DN has entirely changed for the retrieved results. It has even followed the provided referals to the original Base-DN.

It shouldn't be that complicated to wrap my test snippets into an PoC iRule for further testings. Give me a few days... its weekend now.. 😉

Cheers, Kai