For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Tom_92690's avatar
Tom_92690
Icon for Nimbostratus rankNimbostratus
Nov 23, 2012

LDAP modify query

Hi fellow members,

 

 

We have following use case:

 

1) User logs in on F5 APM

 

2) F5 APM displays user information.

 

3) User can enter or update his e-mail address.

 

The user store is AD.

 

 

Part 1 is pretty straight forward. In APM VPE I can create Ad Auth box which works fine.

 

Part 2 is a bit more challenging where the F5 APM has to create and display a webpage with attributes fetched from AD.

 

In Part 3 we need to send an LDAP modify query to update atrributes in the AD.

 

 

Is such a use case possible?

 

Can someone help me on part 2 and especially on part3? Can we let the APM send a ldap modify/replace query

 

 

thanks and kind regards

 

Tom

 

config
design

3 Replies

  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    Nov 23, 2012
    I can't think of anything OOTB to do this, so it might be easier to display an iFrame with the content served from another server... or even just the update...

     

     

    Having said that, you COULD do an LDAP message on the fly with an iRule and use a SIDEBAND connection to connect/auth and send the ldap modify... It would be a good challenge :)

     

     

    H
  • Tom_92690's avatar
    Tom_92690
    Icon for Nimbostratus rankNimbostratus
    Nov 23, 2012
    Hamish,

     

     

    Thanks for your response. I wasn't aware of the SIDEBAND functionality in V11. It certainly pointed me in the right direction.

     

    And yes,wow, this is powerfull!

     

    Now my next step is to find out howto get the ldap modify right for the send command.

     

    If I make any progress I'll let you know (which can take a while because I need to work on other projects as well.

     

     

    kind regards

     

    Tom
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Nov 23, 2012
    2 could be fairly simple. If you initiate an AD or LDAP query in APM after authenticating the user, the session cache will be filled with AD/LDAP data that you can either a) pass as HTTP headers to the application, or b) display in a customized message box in APM.

     

     

    3 has a few options as well. As Hamish states, APM won't be able to do the modification, but you can definitely spin off to a sideband call. What you call and how you use the sideband is where it gets interesting. The best option, IMHO, is to point to another (internal) virtual server that load balances a web service of your design (on another box) that does the modifications and returns a result. Doing this on a simple "LAMP" box - Linux/Apache/MySQL/PHP, or any programmable environment that has the ability to touch AD, would be really straight forward.