For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

maurox_59221's avatar
maurox_59221
Icon for Nimbostratus rankNimbostratus
Oct 22, 2013

Ldap query from ltm

Hi all, I'm searching an irule that would direct all the authenticated users (that belong to a specific group defined on the ldap profile/object) to a specific pool. All the others users (that aren't...
application delivery
devops
iRules
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Nov 12, 2013

Create an APM LDAP AAA object that sets up the authentication to the LDAP server. OK. Do I need administrator right for the user?

It's an LDAP query, so you just need to specify an account that has the rights to make such a query.

Create an access policy that includes a simply LDAP query KO 😞 I don't find on the APM menu where I can configure this access policy

Once you've created the access policy, open it up, go to the third tab (Access Policy), and click the "Edit Access Policy for Profile" link. This will bring up a new window with the access profile's "visual policy". Inside the visual policy, create an LDAP Query agent, specify the previously-created LDAP AAA, and then the following properties:

  • SearchDN: the distinguished name path where the users can be found (ex. cn=users,dc=mydomain,dc=com)

  • SearchFilter: this is what you're looking for. The syntax would be something like:

    attribute-name=%{session.value}

    where "attribute-name" is the literal name of the AD/LDAP attribute (ex. userPrincipalName, sAMAccountName, etc.). And "%{session.value}" is a session variable that you've already assigned prior to this LDAP query agent (via iRule or Variable Assignment agent).

  • Branch Rules: on the Branch Rules tab, click the "change" link next to the default expression, in the next window, click the "x" to the right of that expression to delete it, click the "Add Expression" button, and select "LDAP Query" and "LDAP Query Passed" from the drop down boxes, and click the "Add Expression" button. Click the "Finished" button, and then optionally change the name field to something more appropriate like "Query passed". Click Save.

With this in place, the agent will perform the query and follow the "Query passed" branch if the query was successful. Run a quick test, and then run an access policy report in the GUI. If the LDAP query was successful, you'll see a bunch of session.ldap.last.attr session variables in the session cache. Any of these can be used in evaluations after the LDAP query agent.

I've found that menu and I've created the AD auth and resources macro. But If I try to edit the "AD auth" object, I can't find the AAA ldap server previusly created

An AD Auth/Query will only allow an AD AAA object, likewise for an LDAP Auth/Query. You can use either to perform a query, but the LDAP query is generally faster.