LDAPS account interception through Virtual Server - Is it possible

If you only need to know when user X tries to login and get client IP :

when HTTP_REQUEST {
    if { ( [string tolower [HTTP::uri]] equals "/loginform.html" ) and ( [HTTP::method] equals "POST" ) } {
        HTTP::collect [HTTP::header Content-Length]
    }
}
when HTTP_REQUEST_DATA {
    set username "unknown"
    foreach x [split [string tolower [HTTP::payload]] "&"] {
        if { $x starts_with "username=" } {
            set username [lindex [split $x "="] 1]
        }
    }
    log local0. "User $username attempted login from [IP::client_addr]:[TCP::client_port]"
}

Hi!

What kind of virtual serveur is it ? Just tcp/udp or full HTTP proxy?

I think you can try to drop sume irule in your VS to log stuff :

To log your SNAT session (so you can lookup by IP:Port and datetime from your ldaps to get the mapping to original IP :

when SERVER_CONNECTED {
     log clientside connection details to /var/log/ltm
    log local0. "Clientside connection: [clientside {IP::remote_addr}]:[clientside {TCP::remote_port}] to [clientside {IP::local_addr}]:[clientside {TCP::local_port}]"
     log serverside connection details to /var/log/ltm
    log local0. "Serverside connection: [IP::local_addr]:[TCP::local_port] to [IP::remote_addr]:[TCP::remote_port]"
}

If your VS is full HTTP you could add other rules to log this only when your username is detected in the payload.

Regards,

Hi!

How is the login/password passed to the backend server ? Is it POST request ? If yes what is the name of the usernae field ?

Edit : could you also provide the form URL (replace sensitive data with dummy value if needed. It is just to get a template for the irule