Forum Discussion

Takahiro_M_3645's avatar
Historic F5 Account
Sep 28, 2010

LDAP attribute based LB

I am trying to create an iRule to do LDAP attribute based LB using v10.2.



An issue I am facing seems to obtain LDAP attribute in the iRule.


Below is sample script I created but "log local0," lines don't output any valuable characters in /var/log/ltm. And also value of 'log local0. "[array size [AUTH::response_data]]"' is always "0".



HTTP basic authentication with LDAP server works correctly by using auth profiles regardless of using this iRule. And additionally, according to tcpdump of server, LDAP server returns attributes to BIG-IP correctly.



Could you share with me if you have solution for this?





when RULE_INIT {


set tmm_auth_subscription "*"







array set auth_response_data [AUTH::response_data]


log local0. [AUTH::status]


log local0. "[array size [AUTH::response_data]]"


log local0. "[lindex [array get auth_response_data] 2]"


set ldap_group [lindex [array get auth_response_data ldap:attr:uid] 0]


log local0. "$ldap_group"










ltm auth ldap auth-ldap {


bind-dn cn=admin,dc=example,dc=com


bind-pw admin


bind-timeout 30


check-host-attr disabled


debug enabled


filter none


group-dn none


group-member-attribute none


idle-timeout 3600


ignore-auth-info-unavail no


ignore-unknown-user disabled


login-attribute none


partition Common


port ldap


scope sub


search-base-dn dc=example,dc=com


search-timeout 30


servers { }


ssl disabled


ssl-ca-cert-file none


ssl-check-peer disabled


ssl-ciphers none


ssl-client-cert none


ssl-client-key none


user-template none


version 3


warnings enabled






3 Replies

  • Hi Takahiro,

    I haven't looked much at the default auth rules in 10.2, but I think the issue might be that tmm_auth_subscription is being set in RULE_INIT. All variables declared in RULE_INIT will be global in scope. Can you change the iRule event from RULE_INIT to CLIENT_ACCEPTED:

            set tmm_auth_subscription "*"

    From the /config/bigip_base.conf:

    These auth profile default rules can be optionally configured to subscribe


    to out-of-band auth response data (obtained via AUTH::response_data).


    Subscriptions are enabled by setting the variable tmm_auth_subscription


    prior to system auth rule invoking AUTH::start call, e.g.,





    set tmm_auth_subscription "*"




    It is recommended to set this variable to "*". Although the value of

    tmm_auth_subscription is not used at this time, it is anticipated that

    it will eventually be passed as a parameter to AUTH::subscribe once

    that function supports subscription-matching based on regular expressions.

  • Takahiro_M_3645's avatar
    Historic F5 Account
    It worked as expected since I made a change my iRule event to CLIENT_ACCEPTED from RULE_INIT. I didn't noticed to see bigip_base.conf....



    Thank you very much.





  • Hi Takahiro,



    This description is also listed on the AUTH::response_data wiki page. I updated the page to make it more clear that tmm_auth_subscription needs to be set as a local variable--not a global one.