Forum Discussion

R__Clark_149098's avatar
R__Clark_149098
Icon for Altocumulus rankAltocumulus
Jan 23, 2019

LDAP Query for Attribute

I apologize if this has been covered in a different article, but I have not been able to find anything that I've had success with. In my environment, a user's DistinguishedName is totally unique, ...
BIG-IP
security
  • R__Clark_149098's avatar
    R__Clark_149098
    Feb 05, 2019

    I ultimately got this working by creating an LDAP Query action, I used the following as a SearchFilter:

    (SamAccountName=%{session.logon.last.username})

    I set DistinguishedName as a required attribute so that I was able to use it later. These are case sensitive when you try to use them in Variable Assigns, so make sure to check the session variables after a login attempt if things aren't working.

    The format of my LDAP users DN is CN=Bob\, Smith... or CN=Bob... so I had to cover both cases. The F5 adds an extra slash to the session variable to make it a literal slash in TCL (my guess). I had to create a variable assign to remove that extra slash so when it's sent to the LDAP server it understands it.

    This was the expression field of my variable assign:

    set dn "[mcget {session.ldap.last.attr.dn}]"
if {[string first "\\" $dn] != -1} {
    return [string map {\\\\ \\} $dn]
} else {
    return $dn
}

    Finally I created an LDAP auth action with the following in the UserDN. SearchDN and SearchFilter are empty.

    I had to open a case with F5 to figure out how to not send hex to my LDAP server. They key is the :noconv function. 

    %{dn:noconv}

    After this authentication worked!!

R__Clark_149098's avatar
R__Clark_149098
Icon for Altocumulus rankAltocumulus
Jan 25, 2019

Well, I got further. I ran a capture and saw that somehow the ldapsearch interrogates the searchDN correctly and is able to pull user searchDN. I ran a capture with this:

ldapsearch -LLL "(samaccountname=*bob1234*)" -h 10.10.10.10 -D 'domain\bindacct' -W -b 'DC=domain,DC=com' dn

Gave me this, which is what I ultimately wanted:

distinguishedName: CN=bsmith,DC=domain,DC=com

I copied the searchDN from that into my LDAP query and I am able to pull the user's DN now.

Only problem is I can't figure out the syntax to use the attribute I assigned in the query correctly. I'm using the syntax from this article but nothing I try seems to work in the authentication step.

I have tried:

  • session.ldap.last.attr.DistinguishedName
  • (session.ldap.last.attr.DistinguishedName)
  • %{session.ldap.last.attr.DistinguishedName}
  • (%{session.ldap.last.attr.$DistinguishedName})
  • (%{session.ldap.last.attr.DistinguishedName})

The last version returns:

LDAP-POLICY_Test:Common:7cc4f5b1: LDAP Module: Failed to bind with '()'. Invalid credentials, 80090308: LdapErr: DSID-0C090400, comment: AcceptSecurityContext error, data 52e, v1db1

Which to me seems like the syntax is close, but it's not pulling the attribute correctly. I'm going to keep plugging away unless someone has a quick tip for me.