For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

maurox_59221's avatar
maurox_59221
Icon for Nimbostratus rankNimbostratus
Oct 22, 2013

Ldap query from ltm

Hi all, I'm searching an irule that would direct all the authenticated users (that belong to a specific group defined on the ldap profile/object) to a specific pool. All the others users (that aren't...
application delivery
devops
iRules
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Oct 28, 2013

Now, create an internal virtual server to load balance this web service, and apply this iRule to your application virtual server to call the web service (via sideband with a query parameter).

when RULE_INIT {
     user-defined: name of internal web service virtual server
    set static::WSVIP "webservice-vs"

     user-defined: debug enable/disable (1/0)
    set static::DEBUG 1
}   
when HTTP_REQUEST {
     Prepare the sideband call
    set conn [connect -timeout 3000 -idle 30 -status conn_status $static::WSVIP]

    if { $static::DEBUG } { log local0. "conn_status = $conn_status" }

    if { $conn eq "" } {
        if { $static::DEBUG } { log local0. "Sideband connection could not be established" }
        return
    }       

     Prepare user information to transmit to APM sideband call 
    set userdata "bob.user"

     Create the data to send to the APM
    set data "GET /ldaplookup.php?find=$userdata HTTP/1.1\r\nHost: [HTTP::host]\r\nUser-Agent: cUrl\r\nAccept: */*\r\n\r\n"

    if { $static::DEBUG } { log local0. "data = $data" }

     Send the sideband call
    set send_info [send -timeout 3000 -status send_status $conn $data]

    if { $static::DEBUG } { log local0. "send_status = $send_status" }

     Receive the APM response (via data "peek")
    set start [clock clicks -milliseconds]
    for {set i 0} {$i <= $static::retries} {incr i} {
        set recv_data [recv -peek -status peek_status -timeout 10 $conn]
        if { [string match "HTTP/*\r\n\r\n*" $recv_data] } {
            if { [string match -nocase "*Content-Length: *" $recv_data] }{
                set header_length [expr {[string first "\r\n\r\n" $recv_data] + 4}]
                set payload_length [findstr [string tolower $recv_data] "content-length: " 16 "\r"]
                if { $payload_length ne "" and $payload_length > 0 } {
                    set recv_data [recv -peek -timeout 3000 -status recv_status [expr {$header_length + $payload_length}] $conn]
                    break
                } else {
                    break
                }
            } else {
                break
            }
        }
    }

    set returned_data [findstr $recv_data "\r\n\r\n" 4]

    if { $static::DEBUG } { log local0. "recv_data = $recv_data" }
    if { $static::DEBUG } { log local0. "filtered data = $returned_data" }

     Close the connection
    close $conn


     The data returned from the web server is now in the $returned_data variable...
     ...do something here...

}

The send string data now contains a query string instead of an arbitrary header. This could be done either way though.

     Prepare user information to transmit to APM sideband call 
    set userdata "bob.user"

     Create the data to send to the APM
    set data "GET /ldaplookup.php?find=$userdata HTTP/1.1\r\nHost: [HTTP::host]\r\nUser-Agent: cUrl\r\nAccept: */*\r\n\r\n"

And then the returned sideband call LDAP data can be found in the $recv_data or $returned_data variables. What you do with that data after this is up to you. Also notice that the web service PHP will return "No data" if the LDAP query doesn't find anything. The $returned_data variable would actually contain this error message, so you could very simply issue a reject based on this value.

if { $returned_data equals "No data" } {
    log local0. "No data found - rejecting user"
    reject
}