Forum Discussion

kpiti_52215's avatar
Icon for Nimbostratus rankNimbostratus
Apr 04, 2012

LDAP profile for non HTTP protocols

I've created a LDAP profile based on _sys_auth_ldap which works perfectly with a HTTP VS (testing purposes only). What I actually want to do is to authenticate POP3 users with their credentials via iRule. The trouble is that when I create a POP3 VS and associate my LDAPauth profile, it wants me to associate an HTTP of FASTHTTP profile as well which is rather bogus on POP3 VS. And if I don't add an Auth profile, I can't use it in iRule..


As it seems the devil is is the fact that the "generic" stock LDAP profile on which you need to base any LDAP profiles has HTTP built in - /config/profile_base.conf:



ltm auth profile ldap {


configuration none


credential-source http-basic-auth


defaults-from none


enabled yes


rule _sys_auth_ldap


type ldap





Now, even if I do associate an HTTP profile to it (which is stupid from the start) when I call AUTH::authenticate from the iRule I always get auth fail but in reality the LDAP is not even querried so there is no authentication whatsoever. And I can't modify the ldap profile's credential-source in advanced GUI or anything AFAIK.. I couldn't find where _sys_auth_ldap is defined either.



I gather poking around profile_base.conf isn't really the way to go so is there a way to create an LDAP profile which would work on non-HTTP/S protocols? Or alternatively (poking yes) are there any docs on ltm auth profile configuration? I'm on v11.1 if it matters..



Any help highly appreciated





2 Replies

  • Actually I've discovered that also in bigip.conf on my LDAP auth profile I have credential-source http-basic-auth, it's just not shown in the GUI:



    ltm auth profile /Common/MYldap {


    app-service none


    configuration /Common/myLDAPauth


    credential-source http-basic-auth


    defaults-from /Common/ldap


    type ldap





    Can I change it from http-basic-auth to iRule_will_supply_data kind of source? I couldn't find any relevant docs on this anywhere..


  • There hasn't been any feedback on this so I'll just respond to myself.



    The builtin LDAP auth profile can just be used on a HTTP* profile so what you need to do is to make an HTTP VS that does LDAP AUTH and use sideband connection from your original iRule to this VS for authorization. You can check my solution here -