Hi all, I'm searching an irule that would direct all the authenticated users (that belong to a specific group defined on the ldap profile/object) to a specific pool. All the others users (that aren't on that group) have to be redirect to a secondary pool. I've found a lot of more complicated ladp irule but nothing for this scenario...I'm not black belt on writing irule and any help would be appreciated, Best regards, Mauro

I wouldn't recommend trying to write an LDAP query iRule. It's certainly possible, but it's binary and very complex. Your best bet, in my opinion, is to have a look at the Access Policy Manager (APM) module. It'll do what you're asking for very easily and with minimal (if any) iRule coding.

The LDAP auth profile is a remnant of the Advanced Client Authentication (ACA) module, and will soon disappear (reportedly post-v11). It'd also be a very complicated iRule to do what you're asking for, because the ACA LDAP auth iRule is designed specifically for auth and not query. Like I said, you can technically build an LDAP query/proxy with iRules, but you'd probably need an iRules black belt on staff to maintain it. So I think you have three primary options: Investigate upgrading to a platform that supports three modules. Investigate adding another (potentially virtual) LTM/APM layer. Write a service on a local web server that can query LDAP and return the data via HTTP response. With this you can use a sideband call in an iRule to send the request to the web server and get your LDAP data that way.

Hi Kevin, thank you, you're very helpful ! I'll test it soon, but before we need to purchase the APM license for the other (internal) BIG-IP cluster: in the middle, I'm wondering to start this configuration following your previous suggestion: "Write a service on a local web server that can query LDAP and return the data via HTTP response. With this you can use a sideband call in an iRule to send the request to the web server and get your LDAP data that way" I've already asked to my colleagues to configure an internal web server that will contain all the users that have to be authenticated before accessing this application. So,the client (a mobile device) will contact the VIP on the LTM and it will contact the internal web server using an irule: if the user is on the users' list, he could access the pool. If not, it won't access anything and would be dropped. Do you have an irule similar that I could use as an example? Thank you in advance, Mauro

Okay, let's say you have a PHP web server that can make LDAP calls based on a parameter in the query string (ex. "?find=user"). Example: set_time_limit(30); error_reporting(E_ALL); ini_set('error_reporting', E_ALL); ini_set('display_errors',1); $ldapserver = '10.80.0.200'; $ldapuser = 'CN=Administrator,CN=users,DC=mydomain,DC=com'; $ldappass = 'password'; $ldaptree = "CN=Users,DC=mydomain,DC=com"; if(!isset($_REQUEST["find"])) { echo "No query parameter"; } else { // query string parameter to use in search $findthis = $_REQUEST["find"]; // what value(s) to return $justthese = array("userPrincipalName"); $ldapconn = ldap_connect($ldapserver) or die("Could not connect to LDAP server."); if($ldapconn) { $ldapbind = ldap_bind($ldapconn, $ldapuser, $ldappass) or die ("Error trying to bind: ".ldap_error($ldapconn)); if ($ldapbind) { $result = ldap_search($ldapconn,$ldaptree, "(sAMAccountName=$findthis)", $justthese) or die ("Error in search query: ".ldap_error($ldapconn)); $data = ldap_get_entries($ldapconn, $result); if($data["count"] > 0) { echo $data[0]["userprincipalname"][0]; } else { echo "No data"; } } else { echo "LDAP bind failed..."; } } ldap_close($ldapconn); } ** Ref: http://www.php.net/manual/en/function.ldap-search.php

Now, create an internal virtual server to load balance this web service, and apply this iRule to your application virtual server to call the web service (via sideband with a query parameter). when RULE_INIT { user-defined: name of internal web service virtual server set static::WSVIP "webservice-vs" user-defined: debug enable/disable (1/0) set static::DEBUG 1 } when HTTP_REQUEST { Prepare the sideband call set conn [connect -timeout 3000 -idle 30 -status conn_status $static::WSVIP] if { $static::DEBUG } { log local0. "conn_status = $conn_status" } if { $conn eq "" } { if { $static::DEBUG } { log local0. "Sideband connection could not be established" } return } Prepare user information to transmit to APM sideband call set userdata "bob.user" Create the data to send to the APM set data "GET /ldaplookup.php?find=$userdata HTTP/1.1\r\nHost: [HTTP::host]\r\nUser-Agent: cUrl\r\nAccept: */*\r\n\r\n" if { $static::DEBUG } { log local0. "data = $data" } Send the sideband call set send_info [send -timeout 3000 -status send_status $conn $data] if { $static::DEBUG } { log local0. "send_status = $send_status" } Receive the APM response (via data "peek") set start [clock clicks -milliseconds] for {set i 0} {$i <= $static::retries} {incr i} { set recv_data [recv -peek -status peek_status -timeout 10 $conn] if { [string match "HTTP/*\r\n\r\n*" $recv_data] } { if { [string match -nocase "*Content-Length: *" $recv_data] }{ set header_length [expr {[string first "\r\n\r\n" $recv_data] + 4}] set payload_length [findstr [string tolower $recv_data] "content-length: " 16 "\r"] if { $payload_length ne "" and $payload_length > 0 } { set recv_data [recv -peek -timeout 3000 -status recv_status [expr {$header_length + $payload_length}] $conn] break } else { break } } else { break } } } set returned_data [findstr $recv_data "\r\n\r\n" 4] if { $static::DEBUG } { log local0. "recv_data = $recv_data" } if { $static::DEBUG } { log local0. "filtered data = $returned_data" } Close the connection close $conn The data returned from the web server is now in the $returned_data variable... ...do something here... } The send string data now contains a query string instead of an arbitrary header. This could be done either way though. Prepare user information to transmit to APM sideband call set userdata "bob.user" Create the data to send to the APM set data "GET /ldaplookup.php?find=$userdata HTTP/1.1\r\nHost: [HTTP::host]\r\nUser-Agent: cUrl\r\nAccept: */*\r\n\r\n" And then the returned sideband call LDAP data can be found in the $recv_data or $returned_data variables. What you do with that data after this is up to you. Also notice that the web service PHP will return "No data" if the LDAP query doesn't find anything. The $returned_data variable would actually contain this error message, so you could very simply issue a reject based on this value. if { $returned_data equals "No data" } { log local0. "No data found - rejecting user" reject }

Ldap query from ltm | DevCentral

38 Replies

Kevin_Stewart
Employee
Nov 19, 2013
Now I'm searching how to pass (via irule) dynamicaly the sAMAccountName to the searchfilter. Do you have anything similar?

The value on the right side of the SearchFilter is going to be a dynamic variable. Example:

sAMAccountName=%{session.custom.foo}

What you assign to that custom session variable prior to the LDAP query, depends on when and where you're going to come by that information. So where is this value going to come from?
maurox_59221
Nimbostratus
Nov 20, 2013
Hi kevin,

this value has to come from the irule that will pass it to the apm module :

I've configured an irule for catching (using a regex) the user information from the URI, create an apm session (ACCESS::session create) and passing the user information to the apm policy (as a dynamic variable).

I've tried to post this irule (as a preformatted code), but every-time I receive an error from the devecentral portal :-(

If I try with an invalid user, the apm policy will work and I receive the failure message from the apm. But if the user is the correct one (a member of the group defined on the ldap query), the apm policy works but I'm having a segmentation violation error on the APM . IN this situation the session remains in "pending" state...

F5 is telling me that this could be a bug :-(

Thanks for your support,

Mauro
Kevin_Stewart
Employee
Nov 20, 2013
First thing, if this is a web-based application, then you probably don't need the ACCESS::session create function. This is done automatically when the browser connects. What you should probably do instead is capture the username in the URI, assuming it's coming in the first request, from the ACCESS_SESSION_STARTED event. Something like this:

when ACCESS _SESSION _STARTED { set username [whatever function you use to extract value from URI] ACCESS::session data set session.custom.username $username }

maurox_59221

Nimbostratus

Nov 21, 2013

HI Kevin, Just tried it, but someting got wrong...as a test, Iried using a static value on the irule:

when ACCESS _SESSION _STARTED {
    set username "mauro"
    ACCESS::session data set session.custom.username $username
}

But I've received this error:

01070151:3: Rule [/Common/Ldap_no_session] error: /Common/Ldap_no_session:1: error: [unknown event (ACCESS)][when ACCESS _SESSION _STARTED {
set username "mauro"
ACCESS::session data set session.custom.username $username
}]

maurox_59221
Nimbostratus
Nov 21, 2013
ops...it was my fault: that errors' appeared because I've inserted a space between ACCESS and session _SESSION ...

let me see...
maurox_59221
Nimbostratus
Nov 21, 2013
HI Kevin,

both the irule and the apm now works, but now I'm having another issue:

different devices are coming differently: sometime with the User=domain\use (Android) , others with User=user and others (android and windows mobile) without the user (this is the big problem, the firt request is something like /Microsoft-Server-ActiveSync :-( )

This is a nightmare!
Kevin_Stewart
Employee
Nov 21, 2013
It certainly sounds like a nightmare for sure. You'll likely have to tackle these things the way they come. Your iRule will first need to detect how the username is formatted (ie. if it contains a backslash). The second problem is going to be more difficult to get around. So when does the mobile client send the username?
maurox_59221
Nimbostratus
Nov 23, 2013
Hi Kevin,

the problem here is that different device are coming differently and we don't know if - for example - different android version will come ( and send username)differently. I need from my colleagues that are working to this project all the specifications and the type of devices before continuing: I can't change this irule every day checking what are coming from the logs...

Many thanks for your precious help,

Mauro
maurox_59221
Nimbostratus
Nov 27, 2013
Hi Kevin,

any ideas on how to bypass the APM module for the first client's requests? As I've noticed, all the devices except the ipad start the session contacting the application with a URI /Microsoft-Server-ActiveSync (without user's information ), than the server asks for credentials and the device send the user information on the URI...

But my APM policy will accept/start the session only if the regex of the irule implemented match "User" on the URI....

Thank in advance for your help,

Mauro
Kevin_Stewart
Employee
Nov 27, 2013
You could inspect the requests in an HTTP_REQUEST event and disable the policy evaluation using the ACCESS::disable command. Not 100% sure of the logic here yet though. Does /Microsoft-Server-ActiveSync get called multiple times and/or is there anything unique about this first request other than missing user information?

Forum Discussion

Ldap query from ltm

38 Replies

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

Cisco TACACS+ Config on ISE LTM Pair

Illegal Metacharacter in Parameter Name in Json Data

AS3 declaration to set cookie to preferred

SSL Bridging and FQDN rewrite Policy

Checking for X-Forwarded-For against an Address Data-Group

Related Content

LDAP Query for Attribute

LDAP Auth, LDAP Query with UPN fails

LDAP Proxy

LDAPS vip - how to?

LDAP StartTLS Extension to LDAPS Proxy

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS