Hi all, I'm searching an irule that would direct all the authenticated users (that belong to a specific group defined on the ldap profile/object) to a specific pool. All the others users (that aren't on that group) have to be redirect to a secondary pool. I've found a lot of more complicated ladp irule but nothing for this scenario...I'm not black belt on writing irule and any help would be appreciated, Best regards, Mauro

I wouldn't recommend trying to write an LDAP query iRule. It's certainly possible, but it's binary and very complex. Your best bet, in my opinion, is to have a look at the Access Policy Manager (APM) module. It'll do what you're asking for very easily and with minimal (if any) iRule coding.

The LDAP auth profile is a remnant of the Advanced Client Authentication (ACA) module, and will soon disappear (reportedly post-v11). It'd also be a very complicated iRule to do what you're asking for, because the ACA LDAP auth iRule is designed specifically for auth and not query. Like I said, you can technically build an LDAP query/proxy with iRules, but you'd probably need an iRules black belt on staff to maintain it. So I think you have three primary options: Investigate upgrading to a platform that supports three modules. Investigate adding another (potentially virtual) LTM/APM layer. Write a service on a local web server that can query LDAP and return the data via HTTP response. With this you can use a sideband call in an iRule to send the request to the web server and get your LDAP data that way.

Hi Kevin, thank you, you're very helpful ! I'll test it soon, but before we need to purchase the APM license for the other (internal) BIG-IP cluster: in the middle, I'm wondering to start this configuration following your previous suggestion: "Write a service on a local web server that can query LDAP and return the data via HTTP response. With this you can use a sideband call in an iRule to send the request to the web server and get your LDAP data that way" I've already asked to my colleagues to configure an internal web server that will contain all the users that have to be authenticated before accessing this application. So,the client (a mobile device) will contact the VIP on the LTM and it will contact the internal web server using an irule: if the user is on the users' list, he could access the pool. If not, it won't access anything and would be dropped. Do you have an irule similar that I could use as an example? Thank you in advance, Mauro

Okay, let's say you have a PHP web server that can make LDAP calls based on a parameter in the query string (ex. "?find=user"). Example: set_time_limit(30); error_reporting(E_ALL); ini_set('error_reporting', E_ALL); ini_set('display_errors',1); $ldapserver = '10.80.0.200'; $ldapuser = 'CN=Administrator,CN=users,DC=mydomain,DC=com'; $ldappass = 'password'; $ldaptree = "CN=Users,DC=mydomain,DC=com"; if(!isset($_REQUEST["find"])) { echo "No query parameter"; } else { // query string parameter to use in search $findthis = $_REQUEST["find"]; // what value(s) to return $justthese = array("userPrincipalName"); $ldapconn = ldap_connect($ldapserver) or die("Could not connect to LDAP server."); if($ldapconn) { $ldapbind = ldap_bind($ldapconn, $ldapuser, $ldappass) or die ("Error trying to bind: ".ldap_error($ldapconn)); if ($ldapbind) { $result = ldap_search($ldapconn,$ldaptree, "(sAMAccountName=$findthis)", $justthese) or die ("Error in search query: ".ldap_error($ldapconn)); $data = ldap_get_entries($ldapconn, $result); if($data["count"] > 0) { echo $data[0]["userprincipalname"][0]; } else { echo "No data"; } } else { echo "LDAP bind failed..."; } } ldap_close($ldapconn); } ** Ref: http://www.php.net/manual/en/function.ldap-search.php

Now, create an internal virtual server to load balance this web service, and apply this iRule to your application virtual server to call the web service (via sideband with a query parameter). when RULE_INIT { user-defined: name of internal web service virtual server set static::WSVIP "webservice-vs" user-defined: debug enable/disable (1/0) set static::DEBUG 1 } when HTTP_REQUEST { Prepare the sideband call set conn [connect -timeout 3000 -idle 30 -status conn_status $static::WSVIP] if { $static::DEBUG } { log local0. "conn_status = $conn_status" } if { $conn eq "" } { if { $static::DEBUG } { log local0. "Sideband connection could not be established" } return } Prepare user information to transmit to APM sideband call set userdata "bob.user" Create the data to send to the APM set data "GET /ldaplookup.php?find=$userdata HTTP/1.1\r\nHost: [HTTP::host]\r\nUser-Agent: cUrl\r\nAccept: */*\r\n\r\n" if { $static::DEBUG } { log local0. "data = $data" } Send the sideband call set send_info [send -timeout 3000 -status send_status $conn $data] if { $static::DEBUG } { log local0. "send_status = $send_status" } Receive the APM response (via data "peek") set start [clock clicks -milliseconds] for {set i 0} {$i <= $static::retries} {incr i} { set recv_data [recv -peek -status peek_status -timeout 10 $conn] if { [string match "HTTP/*\r\n\r\n*" $recv_data] } { if { [string match -nocase "*Content-Length: *" $recv_data] }{ set header_length [expr {[string first "\r\n\r\n" $recv_data] + 4}] set payload_length [findstr [string tolower $recv_data] "content-length: " 16 "\r"] if { $payload_length ne "" and $payload_length > 0 } { set recv_data [recv -peek -timeout 3000 -status recv_status [expr {$header_length + $payload_length}] $conn] break } else { break } } else { break } } } set returned_data [findstr $recv_data "\r\n\r\n" 4] if { $static::DEBUG } { log local0. "recv_data = $recv_data" } if { $static::DEBUG } { log local0. "filtered data = $returned_data" } Close the connection close $conn The data returned from the web server is now in the $returned_data variable... ...do something here... } The send string data now contains a query string instead of an arbitrary header. This could be done either way though. Prepare user information to transmit to APM sideband call set userdata "bob.user" Create the data to send to the APM set data "GET /ldaplookup.php?find=$userdata HTTP/1.1\r\nHost: [HTTP::host]\r\nUser-Agent: cUrl\r\nAccept: */*\r\n\r\n" And then the returned sideband call LDAP data can be found in the $recv_data or $returned_data variables. What you do with that data after this is up to you. Also notice that the web service PHP will return "No data" if the LDAP query doesn't find anything. The $returned_data variable would actually contain this error message, so you could very simply issue a reject based on this value. if { $returned_data equals "No data" } { log local0. "No data found - rejecting user" reject }

Ldap query from ltm | DevCentral

38 Replies

maurox_59221
Nimbostratus
Nov 14, 2013
Hi Kevin,

ok, thanks.

Tomorrow I'll test/check what you've suggested. How can I test (locally on the APM/LTM, before starting to work with the irule) if the query will work as desired? If the query will work, the next step will be (as you've already suggested in previous messages) configuring the irule that will extract the user from the http request and pass the information to the apm module...I'm also wondering to simplify the scenario using this virtual appliance both for the query and the pool management. The frontend device (ASM) will only check for any signatures/anomaly and will pass all the requests to the VIP on the BE where I have both the APM and the LTM.

Mauro
maurox_59221
Nimbostratus
Nov 15, 2013
Hi Kevin, as you've suggested, I've configured the access policy and the branch rule. Now, as I've written, I'd like to use the same appliance both as a LTM and APM module. Do I need the same irule that you've had previously suggested (that one that you've suggestd for an external LTM) or something more simple? Best regards, Mauro
maurox_59221
Nimbostratus
Nov 15, 2013
Hi Kevinn,

I've upgraded to the 11.4 hf4 version (I've read that in this version "has the ability to apply an Access Policy on top of LTM") and all the configurations for the access policy and the LDAP server were implemented. If I try to access the VIP, the session could not be established, but I see that the BIG-IP is sending something to the LDAP server.

Now I'm wondering that only the irule for catching the users form the query is missing. The user (I've done e new log session for trace how these requests are coming) in a GET request, on the URI, something like: /Microsoft-Server-ActiveSync?User=Pippo&Device=App

I'm wondering that (using both APM and LTM on the same appliance and the 11.4 version) this irule will be something more simple...any suggestions for this irule?

thanks in advance for your precious support,

Mauro
Kevin_Stewart
Employee
Nov 15, 2013
Do I need the same irule that you've had previously suggested (that one that you've suggestd for an external LTM) or something more simple?

First, if you're doing APM on the load balancing appliance, the configuration is actually much simpler than I've described, and probably won't require much iRule code at all. Your APM access (visual) policy should, more or less, look like the following:

start - iRule event - LDAP Query - Allow
Where the iRule event is used to the extract any values necessary from the client request, the LDAP query (with an attached LDAP AAA) performs an LDAP query with the values provided, and then you either allow the traffic based on the success or failure of the LDAP query, or add additional conditions to the policy. The only iRule code you may need will be in pulling the necessary value(s) from the client request.

How can I test (locally on the APM/LTM, before starting to work with the irule) if the query will work as desired?

The easiest way to troubleshoot an APM access is to drop message boxes in the visual policy at different stages so that you can see where it's going, and potentially see session variables at different points. Add a message box where you want to see the path taken (ex. before and after the LDAP query). To see any session variables that may have been created, use the %{} syntax in the message box text fields. Exampele:

%{session.ldap.last.attr.userPrincipalName}
maurox_59221
Nimbostratus
Nov 18, 2013
Hi Kevin,

My visual policy is something like this:

but the irule is assigned on the virtual server\resources menu. Do I have to assign it using the visual manager?

thanks , Mauro
Kevin_Stewart
Employee
Nov 18, 2013
but the irule is assigned on the virtual server\resources menu. Do I have to assign it using the visual manager?

It shouldn't matter where it is in the visual policy as long as the flow makes sense. It may be simpler at this point to back out and test the LDAP query by itself. If you can create a NEW access profile, please do so and follow these steps:

Create your LDAP AAA

Create your new access profile and open the visual policy editor

Add a Variable assignment agent as the first new item and create a custom session variable. Example:

session.custom.user = expr { "bob.user" }

Substitute the user with some name you know exists in the LDAP directory.

After the Variable assignment, create your LDAP Query agent.

AAA server - the LDAP AAA server you just created
SearchDN - the DN path where users can be found.

SearchFilter - this is the LDAP object you're looking for, based on the previously-created custom variable. Example:

userPrincipalName=%{session.custom.user}

Go to the Branch tab of the LDAP Query agent.

Change the Name field to something like "Query passed"
Click the Change link
Click the x in the top right corner to delete the existing expression
Click the Add Expression button
Agent Sel should be "LDAP Query"
Condition should be "LDAP Query Passed"
Click the Add Expression button
Click Finished
Click Save

Set the ending block after the Query passed branch to Allow and test this access policy attached to a VIP. The idea here is that you've short circuited the process to focus on the LDAP query itself. If the query works with the static user value from the custom variable, you should be able to run an access policy report and see all of the LDAP values returned. You then just need to:

Modify how the custom variable is set - presumably from HTTP request URI data
Apply this same LDAP query configuration to your original access profile
maurox_59221
Nimbostratus
Nov 18, 2013
Hi Kevin,

ok,thanks.

tomorrow I'll test it as you've suggested,

Mauro
maurox_59221
Nimbostratus
Nov 19, 2013
Hi Kevin,

here I've tested the query using the variable assignment, but this test has failed.

I've checked the attributes on the LDAP server using an LDAP search program and the problem is that this users are on that grup as a members and with all the complete DN instead of the sAMAccountName . So, the sAMAccountName is the value of the user in that DB, but this isn't the attributes that I've to search with the query... Checking the apm logs, I've also found thi message:

modules/Authentication/Ldap/LdapAgent.cpp func: "getLdapUserInput()" line: 735 Msg: 60c9f1c8: LDAP Agent: getLdapUserInput(): unable to decrypt user password due to NULL ciphertext

Any ideas?

Thanks in advance,

Mauro
Kevin_Stewart
Employee
Nov 19, 2013
The NULL ciphertext message can be ignored. It has nothing to do with he LDAP query failing.

If you could successfully query the LDAP directory from some other application or command line tool, what would that query look like? One of the tools I use to troubleshoot LDAP queries is the LDAPSEARCH command. Here's an example:

ldapsearch -H ldap://10.70.0.1:389 -x -b cn=users,dc=mydomain,dc=com -D administrator@mydomain.com -w [password] [search criteria ex. cn=bob]

Do a quick search online and/or read the LDAPSEARCH MAN page for more information on its use. Ultimately your APM LDAP query will work more or less the same as the search criteria in this command.
maurox_59221
Nimbostratus
Nov 19, 2013
HI Kevin,

ok, thanks, the query (with the static Variable Assigned) finally has worked!

Now I'm searching how to pass (via irule) dynamicaly the sAMAccountName to the searchfilter. Do you have anything similar?

Best regards,

Mauro