Forum Discussion
LDAPS account interception through Virtual Server - Is it possible
- May 28, 2021
Ok, I got it.
I was thinking your users where consuming a website via a virtual server and they get prompted to logon by the website then the website use the creds provided by user to Authent through LDAPS.
If your VS is your LDAPS servers then you cannot read the payload as it is encrypted. What you need to do is to log every SNAT with :
when SERVER_CONNECTED { log local0. "Clientside connection: [clientside {IP::remote_addr}]:[clientside {TCP::remote_port}] to [clientside {IP::local_addr}]:[clientside {TCP::local_port}] is SNAT to : [IP::local_addr]:[TCP::local_port] to [IP::remote_addr]" }
Then retrieve from your LDAPS logs the IP AND Port used for login attempts and lookup this IP/Port in the ltm logs which will reveal the origin source IP
Regards,
Hi!
What kind of virtual serveur is it ? Just tcp/udp or full HTTP proxy?
I think you can try to drop sume irule in your VS to log stuff :
To log your SNAT session (so you can lookup by IP:Port and datetime from your ldaps to get the mapping to original IP :
when SERVER_CONNECTED {
log clientside connection details to /var/log/ltm
log local0. "Clientside connection: [clientside {IP::remote_addr}]:[clientside {TCP::remote_port}] to [clientside {IP::local_addr}]:[clientside {TCP::local_port}]"
log serverside connection details to /var/log/ltm
log local0. "Serverside connection: [IP::local_addr]:[TCP::local_port] to [IP::remote_addr]:[TCP::remote_port]"
}
If your VS is full HTTP you could add other rules to log this only when your username is detected in the payload.
Regards,
- Xterminator89May 28, 2021Altocumulus
Bonjour Nicolas, thanks a lot for your reply and details.
The VS in question has a full "Standard" setup.
What I'm trying to achieve is, based on the provided username (e.g. "admin"), log via iRule the authentication attempts for this user along with the Client IP where these attempts are coming from. This, in order to act on the workstations which are causing the account lockout.
Thanks a lot
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com