Forum Discussion
chungyu_16122
Altostratus
AltostratusiRule for Start TLS
Hi all, we are implementing the cisco UCS on our network and to speak with the Windows AD, the the servers are load balanced but the start TLS on port 389 is not working. I have found a sample start TLS irule for SMTP, but do not know how to make it work for ldap.
Has anyone had experience with this to date?
Thanks in advance.
Chung
when CLIENT_ACCEPTED {
set ehlo 0
SSL::disable
}
when SERVER_CONNECTED {
TCP::collect
}
when CLIENT_DATA {
set lcpayload [string tolower [TCP::payload]]
if { $lcpayload starts_with "ehlo" } {
set ehlo 1
serverside { TCP::collect }
TCP::release
TCP::collect
} elseif { $lcpayload starts_with "starttls" } {
TCP::respond "220 Ready to start TLS\r\n"
TCP::payload replace 0 [TCP::payload length] ""
TCP::release
SSL::enable
} else {
TCP::release
}
}
when SERVER_DATA {
if { $ehlo == 1 and not([string tolower [TCP::payload]] contains "starttls") } {
TCP::payload replace 0 0 "250-STARTTLS\r\n"
}
TCP::release
clientside { TCP::collect }
}
Nat_ThirasuttakornEmployee
Hi Chungyu,
I am curious in your implementation. does the LDAP client send starttls request in the first packet or after BIND process?
it would be nice if you can post the packet trace :)
Nat- Nat_Thirasuttakornoh, if you post packet trace information, please make sure it contains no sensitive data ;)
Nat 
chungyu_16122Hi Nat
Thanks for the reply, I will need to work on a trace, the Cisco UCS setup is not done by my team, i will get that from them .
Chung