For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Takahiro_M_3645's avatar
Takahiro_M_3645
Historic F5 Account
Sep 28, 2010

LDAP attribute based LB

I am trying to create an iRule to do LDAP attribute based LB using v10.2.

 

 

An issue I am facing seems to obtain LDAP attribute in the iRule.

 

Below is sample script I created but "log local0," lines don't output any valuable characters in /var/log/ltm. And also value of 'log local0. "[array size [AUTH::response_data]]"' is always "0".

 

 

HTTP basic authentication with LDAP server works correctly by using auth profiles regardless of using this iRule. And additionally, according to tcpdump of server, LDAP server returns attributes to BIG-IP correctly.

 

 

Could you share with me if you have solution for this?

 

 

---------------

 

when RULE_INIT {

 

set tmm_auth_subscription "*"

 

}

 

 

when AUTH_RESULT {

 

array set auth_response_data [AUTH::response_data]

 

log local0. [AUTH::status]

 

log local0. "[array size [AUTH::response_data]]"

 

log local0. "[lindex [array get auth_response_data] 2]"

 

set ldap_group [lindex [array get auth_response_data ldap:attr:uid] 0]

 

log local0. "$ldap_group"

 

 

}

 

---------------

 

 

---------------

 

ltm auth ldap auth-ldap {

 

bind-dn cn=admin,dc=example,dc=com

 

bind-pw admin

 

bind-timeout 30

 

check-host-attr disabled

 

debug enabled

 

filter none

 

group-dn none

 

group-member-attribute none

 

idle-timeout 3600

 

ignore-auth-info-unavail no

 

ignore-unknown-user disabled

 

login-attribute none

 

partition Common

 

port ldap

 

scope sub

 

search-base-dn dc=example,dc=com

 

search-timeout 30

 

servers { 10.100.4.201 }

 

ssl disabled

 

ssl-ca-cert-file none

 

ssl-check-peer disabled

 

ssl-ciphers none

 

ssl-client-cert none

 

ssl-client-key none

 

user-template none

 

version 3

 

warnings enabled

 

}

 

---------------

 

application delivery
dev
devops
iRules

3 Replies

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Sep 28, 2010
    Hi Takahiro,

    I haven't looked much at the default auth rules in 10.2, but I think the issue might be that tmm_auth_subscription is being set in RULE_INIT. All variables declared in RULE_INIT will be global in scope. Can you change the iRule event from RULE_INIT to CLIENT_ACCEPTED: 

    
when CLIENT_ACCEPTED {
        set tmm_auth_subscription "*"
}

    From the /config/bigip_base.conf:

    These auth profile default rules can be optionally configured to subscribe

     

    to out-of-band auth response data (obtained via AUTH::response_data).

     

    Subscriptions are enabled by setting the variable tmm_auth_subscription

     

    prior to system auth rule invoking AUTH::start call, e.g.,

     

     

    when CLIENT_ACCEPTED {

     

    set tmm_auth_subscription "*"

     

    }

     

    It is recommended to set this variable to "*". Although the value of

    tmm_auth_subscription is not used at this time, it is anticipated that

    it will eventually be passed as a parameter to AUTH::subscribe once

    that function supports subscription-matching based on regular expressions.

    Aaron
  • Takahiro_M_3645's avatar
    Takahiro_M_3645
    Historic F5 Account
    Sep 29, 2010
    It worked as expected since I made a change my iRule event to CLIENT_ACCEPTED from RULE_INIT. I didn't noticed to see bigip_base.conf....

     

     

    Thank you very much.

     

     

    Takahiro

     

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Oct 01, 2010
    Hi Takahiro,

     

     

    This description is also listed on the AUTH::response_data wiki page. I updated the page to make it more clear that tmm_auth_subscription needs to be set as a local variable--not a global one.

     

     

    Aaron