For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Andrés_Ortiz_10's avatar
Andrés_Ortiz_10
Icon for Nimbostratus rankNimbostratus
Jun 21, 2007

LDAP traffic

Hi,     I try to address my LDAP traffic according to it belongs to a IP range or another.   I think that I can do this by this way but   I don't know how to describe and compare range ...
application delivery
dev
devops
iRules
Deb_Allen_18's avatar
Deb_Allen_18
Historic F5 Account
Jun 21, 2007
To perform comparison of client IP address with a list of addresses or subnets in a Data Group List (class), define your class as type "Address", then use matchclass instead of findclass.

First define these classes as type "Address":

class LDAP_GroupA {
  "network 10.16.13.0/26"
  "host 10.10.10.1"
}
class myPoolB{
  "network 10.16.13.64/26"
  "host 10.10.10.2"
}
Then this iRule will distribute the traffic:
when RULE_INIT {
  set ::defaultPool myPool
}
when CLIENT_ACCEPTED {
  TCP::collect
}
when CLIENT_DATA {
  set LoginIP [findstr [TCP::payload] LOGIN-IP 9 "MSISDN"]
  if {$LoginIP != ""}{
    if { [matchclass $LoginIP equals $::LDAP_GroupA]}{
      pool PoolA
    } elseif { [matchclass $LoginIP equals $::LDAP_GroupB]}{
      pool PoolA
    }
  } else {
    pool $::defaultPool
  }
  TCP::release
}
Any request with no LOGIN-IP value or an address not in either class will go to the default pool.

HTH

/deb