Oneconnect for LDAP Virtual server

As mentioned before, LDAP works in a different way as HTTP. For a sent HTTP request you can expect an immediate answer which will be matched to the clients request (there is no kind of message or response ID). This type of multiplexing/demultiplexing will be done by OneConnect.

 

With LDAP you can send a query which keeps a server busy for a while and during this time your client may send new queries (new message IDs) through the same LDAP bind (authenticated connection between client and directory server). The server may respond asynchronous with replies containing a message ID allowing the client to match it to the open query. Finally the server my send i.e. a "search completed" or other response.

 

So the responses from the server may be distributed over multiple replies and finished by a status message.

 

Afaik, TMOS currently does not have a LDAP proxy functionality and OneConnect does not support LDAP. It would be required to write an own iRule to intercept the LDAP traffic. Samples are available to replay the LDAP bind. F5 Professional Services may help you to develop an LDAP proxy iRule.

 

As already mentioned by Nitass, in newer TMOS versions the Basic Encoding Rules (ASN) are available in iRules to simplify decoding of LDAP messages (structured in serialized type-length-value containers).

 

Happy new year! :)