Hi all, I'm searching an irule that would direct all the authenticated users (that belong to a specific group defined on the ldap profile/object) to a specific pool. All the others users (that aren't on that group) have to be redirect to a secondary pool. I've found a lot of more complicated ladp irule but nothing for this scenario...I'm not black belt on writing irule and any help would be appreciated, Best regards, Mauro

I wouldn't recommend trying to write an LDAP query iRule. It's certainly possible, but it's binary and very complex. Your best bet, in my opinion, is to have a look at the Access Policy Manager (APM) module. It'll do what you're asking for very easily and with minimal (if any) iRule coding.

The LDAP auth profile is a remnant of the Advanced Client Authentication (ACA) module, and will soon disappear (reportedly post-v11). It'd also be a very complicated iRule to do what you're asking for, because the ACA LDAP auth iRule is designed specifically for auth and not query. Like I said, you can technically build an LDAP query/proxy with iRules, but you'd probably need an iRules black belt on staff to maintain it. So I think you have three primary options: Investigate upgrading to a platform that supports three modules. Investigate adding another (potentially virtual) LTM/APM layer. Write a service on a local web server that can query LDAP and return the data via HTTP response. With this you can use a sideband call in an iRule to send the request to the web server and get your LDAP data that way.

Hi Kevin, thank you, you're very helpful ! I'll test it soon, but before we need to purchase the APM license for the other (internal) BIG-IP cluster: in the middle, I'm wondering to start this configuration following your previous suggestion: "Write a service on a local web server that can query LDAP and return the data via HTTP response. With this you can use a sideband call in an iRule to send the request to the web server and get your LDAP data that way" I've already asked to my colleagues to configure an internal web server that will contain all the users that have to be authenticated before accessing this application. So,the client (a mobile device) will contact the VIP on the LTM and it will contact the internal web server using an irule: if the user is on the users' list, he could access the pool. If not, it won't access anything and would be dropped. Do you have an irule similar that I could use as an example? Thank you in advance, Mauro

Okay, let's say you have a PHP web server that can make LDAP calls based on a parameter in the query string (ex. "?find=user"). Example: set_time_limit(30); error_reporting(E_ALL); ini_set('error_reporting', E_ALL); ini_set('display_errors',1); $ldapserver = '10.80.0.200'; $ldapuser = 'CN=Administrator,CN=users,DC=mydomain,DC=com'; $ldappass = 'password'; $ldaptree = "CN=Users,DC=mydomain,DC=com"; if(!isset($_REQUEST["find"])) { echo "No query parameter"; } else { // query string parameter to use in search $findthis = $_REQUEST["find"]; // what value(s) to return $justthese = array("userPrincipalName"); $ldapconn = ldap_connect($ldapserver) or die("Could not connect to LDAP server."); if($ldapconn) { $ldapbind = ldap_bind($ldapconn, $ldapuser, $ldappass) or die ("Error trying to bind: ".ldap_error($ldapconn)); if ($ldapbind) { $result = ldap_search($ldapconn,$ldaptree, "(sAMAccountName=$findthis)", $justthese) or die ("Error in search query: ".ldap_error($ldapconn)); $data = ldap_get_entries($ldapconn, $result); if($data["count"] > 0) { echo $data[0]["userprincipalname"][0]; } else { echo "No data"; } } else { echo "LDAP bind failed..."; } } ldap_close($ldapconn); } ** Ref: http://www.php.net/manual/en/function.ldap-search.php

Now, create an internal virtual server to load balance this web service, and apply this iRule to your application virtual server to call the web service (via sideband with a query parameter). when RULE_INIT { user-defined: name of internal web service virtual server set static::WSVIP "webservice-vs" user-defined: debug enable/disable (1/0) set static::DEBUG 1 } when HTTP_REQUEST { Prepare the sideband call set conn [connect -timeout 3000 -idle 30 -status conn_status $static::WSVIP] if { $static::DEBUG } { log local0. "conn_status = $conn_status" } if { $conn eq "" } { if { $static::DEBUG } { log local0. "Sideband connection could not be established" } return } Prepare user information to transmit to APM sideband call set userdata "bob.user" Create the data to send to the APM set data "GET /ldaplookup.php?find=$userdata HTTP/1.1\r\nHost: [HTTP::host]\r\nUser-Agent: cUrl\r\nAccept: */*\r\n\r\n" if { $static::DEBUG } { log local0. "data = $data" } Send the sideband call set send_info [send -timeout 3000 -status send_status $conn $data] if { $static::DEBUG } { log local0. "send_status = $send_status" } Receive the APM response (via data "peek") set start [clock clicks -milliseconds] for {set i 0} {$i <= $static::retries} {incr i} { set recv_data [recv -peek -status peek_status -timeout 10 $conn] if { [string match "HTTP/*\r\n\r\n*" $recv_data] } { if { [string match -nocase "*Content-Length: *" $recv_data] }{ set header_length [expr {[string first "\r\n\r\n" $recv_data] + 4}] set payload_length [findstr [string tolower $recv_data] "content-length: " 16 "\r"] if { $payload_length ne "" and $payload_length > 0 } { set recv_data [recv -peek -timeout 3000 -status recv_status [expr {$header_length + $payload_length}] $conn] break } else { break } } else { break } } } set returned_data [findstr $recv_data "\r\n\r\n" 4] if { $static::DEBUG } { log local0. "recv_data = $recv_data" } if { $static::DEBUG } { log local0. "filtered data = $returned_data" } Close the connection close $conn The data returned from the web server is now in the $returned_data variable... ...do something here... } The send string data now contains a query string instead of an arbitrary header. This could be done either way though. Prepare user information to transmit to APM sideband call set userdata "bob.user" Create the data to send to the APM set data "GET /ldaplookup.php?find=$userdata HTTP/1.1\r\nHost: [HTTP::host]\r\nUser-Agent: cUrl\r\nAccept: */*\r\n\r\n" And then the returned sideband call LDAP data can be found in the $recv_data or $returned_data variables. What you do with that data after this is up to you. Also notice that the web service PHP will return "No data" if the LDAP query doesn't find anything. The $returned_data variable would actually contain this error message, so you could very simply issue a reject based on this value. if { $returned_data equals "No data" } { log local0. "No data found - rejecting user" reject }

Ldap query from ltm | DevCentral

38 Replies

maurox_59221
Nimbostratus
Nov 27, 2013
Hi Kevin,

I've already tested t the ACCESS::disable command, but something on the logic seemed wrong.

This irule where inserted above the irule with the regex (2 irule on this VIP):

when HTTP_REQUEST { if {!([HTTP::uri] contains "User")}{ log local0. "we are here" ACCESS::disable pool pool-activesync } }

I've also tried without the pool but nothing has changed:

when HTTP_REQUEST { if {!([HTTP::uri] contains "User")}{ log local0. "we are here" ACCESS::disable } }

This request is something unique for the first request. The device call the activeserversync server (without passing the user), the server asks for the credentials and the device send them on the URI (at least the User info that we need for the regex on the 2nd irule )

Thank for you help,

Mauro
Kevin_Stewart
Employee
Nov 27, 2013
I think you only want to disable the policy if 1) the user data does not exist in the request, and 2) this is the first request (missing an APM session cookie). You also have to make sure the user can't bypass the access policy by never sending user data or an APM cookie.
maurox_59221
Nimbostratus
Nov 28, 2013
Hi Kevin,

I'm wondering we're near to the solution: first of all, I've disabled all the apm rules and solved some routing problems that I had on the lab enviroment.

Now I have the first irule that bypass the APM with the ACCESS::disable command ; than the device continues the session passing the credentials to the 2nd irule that correctly catches the User info from the URI. Finally the session is estabilished ( I see all the sessions estabilished on the APM session menu) but doesn't work (timeout after a while).

But I'm wondering something is missing with the apm flow: we see some requests for the APM's flow URI /my.policy...maybe we're missing an ACL or something similar ....

any ideas? Thanks in advance,

Mauro
maurox_59221
Nimbostratus
Dec 05, 2013
HI Kevin,

Have you had the chance to read my last update? Do you have an idea on what's happening regarding those "URI /my.policy" logs? Maybe something missing on the APM configuration??

Best regards,

Mauro

Kevin_Stewart

Employee

Dec 05, 2013

So if I recall, we're working on a use case where one client type doesn't send the credentials in the initial request. All others do. Let's talk about a possible program flow.

client makes request to /Microsoft-Server-ActiveSync and does not have an MRHSession token - disable the policy for this request only    

Client traffic is passed through to server where the server asks for authentication in the response

Client sends authentication, like all other clients. Collect the credentials and store in the access policy

You're most likely seeing requests to /my.policy in the server logs because of when and how you're disabling the policy.

maurox_59221
Nimbostratus
Dec 05, 2013
Hi Kevin, yes, but the strange behavior is that it seems that something doesn't work on the last step.

client makes request to /Microsoft-Server-ActiveSync and does not have an MRHSession token - disable the policy for this request only

It seems the irule that has to do this function is working as expected, and as I see the client/server communication proceed .

Client traffic is passed through to server where the server asks for authentication in the response Client sends authentication, like all other clients. Collect the credentials and store in the access policy

It seems that all this queries are managed correctly and, if the user belongs to that group, I can see that the APM session is "estabilished". Before I saw all these session in "pending" state.

The strange behavior is that this "established" sessions don't work, the activesync process failed and I don't know why...

Thanks in advance for your help,

Mauro
maurox_59221
Nimbostratus
Dec 09, 2013
Hi Kevin,

finally it seems I've solved this issue: all the problems with the "established" sessions that didn't work, were on the session cookie that doesn't work as expected on these mobile devices.

So, I've added (using the wizard) an access policy of the type "web application access management" (adding my LDAP query search object previously tested) search and the irule certified and signed by f5 named "_sys_APM_activesync".

This has solved all my problems!!

Thanks for all,

Mauro

Forum Discussion

Ldap query from ltm

38 Replies

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

F5 Networks F5CAB1 Exam - Need Help Regarding Prep

Username is not filled in EdgeClient in the Modern customization

The GSLB pool is providing an incorrect IP to end users

iRule causing requests to be duplicated (sometimes)

Cisco TACACS+ Config on ISE LTM Pair

Related Content

LDAP Query for Attribute

LDAP Auth, LDAP Query with UPN fails

LDAP Proxy

LDAPS vip - how to?

iRuleLX Solution for OAUTH JWT authenticated Salesforce Query

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS