For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

R__Clark_149098's avatar
R__Clark_149098
Icon for Altocumulus rankAltocumulus
Jan 23, 2019
Solved

LDAP Query for Attribute

I apologize if this has been covered in a different article, but I have not been able to find anything that I've had success with. In my environment, a user's DistinguishedName is totally unique, ...
BIG-IP
security
  • R__Clark_149098's avatar
    R__Clark_149098
    Feb 05, 2019

    I ultimately got this working by creating an LDAP Query action, I used the following as a SearchFilter:

    (SamAccountName=%{session.logon.last.username})

    I set DistinguishedName as a required attribute so that I was able to use it later. These are case sensitive when you try to use them in Variable Assigns, so make sure to check the session variables after a login attempt if things aren't working.

    The format of my LDAP users DN is CN=Bob\, Smith... or CN=Bob... so I had to cover both cases. The F5 adds an extra slash to the session variable to make it a literal slash in TCL (my guess). I had to create a variable assign to remove that extra slash so when it's sent to the LDAP server it understands it.

    This was the expression field of my variable assign:

    set dn "[mcget {session.ldap.last.attr.dn}]"
if {[string first "\\" $dn] != -1} {
    return [string map {\\\\ \\} $dn]
} else {
    return $dn
}

    Finally I created an LDAP auth action with the following in the UserDN. SearchDN and SearchFilter are empty.

    I had to open a case with F5 to figure out how to not send hex to my LDAP server. They key is the :noconv function. 

    %{dn:noconv}

    After this authentication worked!!

Kai_Wilke's avatar
Kai_Wilke
Icon for MVP rankMVP
Jan 29, 2019

Hi R. Clark,

the iRule-specifc syntax below will at first 

[string]
replace the value to a URI encoded format followed by 
[URI::decode]
command to unescape the URI encoded characters. 

set var {CN\3dBob\5c\5c\2c Smith\2cDC\3ddomain\2cDC\3dcom}
log local0.debug "Decoded: [URI::decode [string map { "\\5c\\5c" "%5c" "\\" "%" } $var]]"

Keep in mind that the 

[URI::decode]
command wont be available within APMs variable assign actions. For that usecase you would need to 
[string]
replace the value to a HEX encoded format followed by a 
[subst]
command to unescape the HEX encoded characters. 

set var {CN\3dBob\5c\5c\2c Smith\2cDC\3ddomain\2cDC\3dcom}
log local0.debug "Decoded: [subst -nocommands -novariables [string map { "\\5c\\5c" "\\x5c" "\\" "\\x" } $var]]"

Note: I'm working very frequently with LDAP and AD based APM scenarios, but i simply don't get the point what the heck you are trying to accomblish and also why?

Cheers, Kai