LDAP Proxy

Problem this snippet solves:

Summary: An LDAP proxy used send read/write requests to different pools.

For anyone that is interested, I recently was posed with the problem of proxying ldap requests. The requirement was to send read and write requests to different pools. As any familiar with ldap knows, you need to send a bind request to authenticate. The following will transparently resend the bind requests to the newly selected server prior to sending the new read/write request.

Other functionality could be added to this, such as more verification of the ldap fields to ensure a valid request is being made.

The expr commands could be optimized with proper bracing. See the TCL expr wiki page for details

Code :

class ldap_writes {
   6
   8
   10
   12
}

# v11 compatabile version


when RULE_INIT {
    # Read Pool
    set static::readPool sun_ldap_read

    # Write Pool
    set static::writePool sun_ldap_write

    # Turn on debugging
    set static::ldap_debug 0

    # A lookup table for debugging
    array set static::msg_types {
           0 "bind request"
           1 "bind response"
           2 "unbind request"
           3 "search request"
           4 "search response"
           6 "modify request"
           7 "modify response"
           8 "add request"
           9 "add response"
          10 "delete request"
          11 "delete response"
          12 "modifydn request"
          13 "modifydn response"
          14 "compare request"
          15 "compare response"
          16 "abandon request"
          23 "extended request"
          24 "extended response"
    }
}

when CLIENT_ACCEPTED {  
    set rebind 0
    set binding ""
    set replayop ""
    set writing 0
    TCP::collect
}

when CLIENT_DATA {
    # Grab the current payload collected
    set payload [TCP::payload]

    # Pull the first 2 bytes.  
    binary scan $payload H2c ber_t ber_len

    # The first byte is the tag signifying an LDAP message, 
    # Always is hex 30, if that is not so reject

    if { $ber_t ne "30" } {
        reject
        return
    }

    # The second byte is one of two values:
    #       a) The length of the packet minus the above
    #          defining byte and the length byte
    #    OR 
    #       b) an octet describing how many subsequent bytes
    #          hold the packet length
    # In either case the message type (what we are after)
    # follows the message id field which too can be a variable
    # number of bytes. 

    set len_bytes 0
    if { [expr {[expr {$ber_len + 0x100} % 0x100]} & 128] > 0 } {
set len_bytes [expr {[expr ($ber_len + 0x100) % 0x100]} & 127]
    }

    # How many bytes is the message id
    binary scan $payload x[expr {3 + $len_bytes}]c msgid_bytes

    # The message type is then 4 bytes + number length bytes + number of
    # message id bytes offset.
    binary scan $payload x[expr {4 + $len_bytes + $msgid_bytes}]c msgtype

    # msgtype - BER encoded value, bits 1-5 are the actual 
    # type, 6 is the data type, 7-8 are the data class  
    # Here we only care about the lower 5 bits
    set msgtype [expr {$msgtype & 31}]

    if {$static::ldap_debug and 
        [catch {
              log local0. "message type is: $static::msg_types($msgtype) $msgtype"
         }
        ] 
       } {
       log local0. "Bad message type: $msgtype"
       reject
    }

    # Each connection should start with a bind request
    # We'll save this packet for later rebinding when we 
    # flip between servers
    if { $msgtype == 0 } {
       if {$static::ldap_debug} {log local0. "Bind Request with: ldap_read"}
       set writing 0
       set rebind 0
       set binding $payload
       LB::detach
       pool $static::readPool

    # If we come across a write request and are currently not 
    # sending data to the write pool, detach, and set the rebind 
    # flag so we can send the bind packet before we actually send 
    # our write request
    } elseif {[class match -- $msgtype equals ldap_writes] and $writing != 1} { 
       if {$static::ldap_debug} {log local0. "Rebinding with: ldap_write"}
       set rebind 1
       set writing 1
       set replayop $payload
       TCP::payload replace 0 [TCP::payload length] $binding
       LB::detach
       pool $static::writePool

    # If we come across a read request while we are bound to a write server
    # we need to detach and rebind with a read server from the read pool
    } elseif {![class match -- $msgtype equals ldap_writes] and $writing == 1} {
       if {$static::ldap_debug} {log local0. "Rebinding with: ldap_read"}
       set rebind 1
       set writing 0
       set replayop $payload
       TCP::payload replace 0 [TCP::payload length] $binding
       LB::detach
       pool $static::readPool
    }
    TCP::release
    TCP::collect
}

when SERVER_CONNECTED {
    # A change in the type of request has been detected
    # requiring a rebind, we've sent the bind now we need to
    # wait for the response before we send the actual request
    if { $rebind == 1 } {
        TCP::collect
    }
}

when SERVER_DATA {
    if { $rebind == 1 } {
        set rebind 0
        # See above for details on this block.  Stupid iRules, no proc grrrr
        set payload [TCP::payload]

        # Pull the first 2 bytes.  
        binary scan $payload H2c ber_t ber_len
        set len_bytes 0
        if { [expr {[expr {($ber_len + 0x100) % 0x100}]} & 128] > 0 } {
            set len_bytes [expr {[expr ($ber_len + 0x100) % 0x100]} & 127]
        }

        binary scan $payload x[expr {3 + $len_bytes}]c msgid_bytes

        binary scan $payload x[expr {4 + $len_bytes + $msgid_bytes}]c msgtype

        set msgtype [expr {$msgtype & 31}]

        # If the msgtype we have here is for a bind response just discard 
        # it as we don't need to send it to the client
        if {$msgtype == 1 } {
            TCP::payload replace 0 [TCP::payload length] ""
        }
        # Now send the actual read or write op to the server
        # It should now have processed the bind
        TCP::respond $replayop
    }
    TCP::release
}

# v10 CMP compatible version

when RULE_INIT {
    # Read Pool
    set static::readPool sun_ldap_read

    # Write Pool
    set static::writePool sun_ldap_write

    # Turn on debugging
    set static::ldap_debug 0

    # A lookup table for debugging
    array set static::msg_types {
           0 "bind request"
           1 "bind response"
           2 "unbind request"
           3 "search request"
           4 "search response"
           6 "modify request"
           7 "modify response"
           8 "add request"
           9 "add response"
          10 "delete request"
          11 "delete response"
          12 "modifydn request"
          13 "modifydn response"
          14 "compare request"
          15 "compare response"
          16 "abandon request"
          23 "extended request"
          24 "extended response"
    }
}

when CLIENT_ACCEPTED {  
    set rebind 0
    set binding ""
    set replayop ""
    set writing 0
    TCP::collect
}

when CLIENT_DATA {
    # Grab the current payload collected
    set payload [TCP::payload]

    # Pull the first 2 bytes.  
    binary scan $payload H2c ber_t ber_len

    # The first byte is the tag signifying an LDAP message, 
    # Always is hex 30, if that is not so reject

    if { $ber_t ne "30" } {
        reject
        return
    }

    # The second byte is one of two values:
    #       a) The length of the packet minus the above
    #          defining byte and the length byte
    #    OR 
    #       b) an octet describing how many subsequent bytes
    #          hold the packet length
    # In either case the message type (what we are after)
    # follows the message id field which too can be a variable
    # number of bytes. 

    set len_bytes 0
    if { [expr [expr ($ber_len + 0x100) % 0x100] & 128] > 0 } {
        set len_bytes [expr [expr ($ber_len + 0x100) % 0x100] & 127]
    }

    # How many bytes is the message id
    binary scan $payload x[expr 3 + $len_bytes]c msgid_bytes

    # The message type is then 4 bytes + number length bytes + number of
    # message id bytes offset.
    binary scan $payload x[expr 4 + $len_bytes + $msgid_bytes]c msgtype

    # msgtype - BER encoded value, bits 1-5 are the actual 
    # type, 6 is the data type, 7-8 are the data class  
    # Here we only care about the lower 5 bits
    set msgtype [expr $msgtype & 31]

    if {$static::ldap_debug and 
        [catch {
              log local0. "message type is: $static::msg_types($msgtype) $msgtype"
         }
        ] 
       } {
       log local0. "Bad message type: $msgtype"
       reject
    }

    # Each connection should start with a bind request
    # We'll save this packet for later rebinding when we 
    # flip between servers
    if { $msgtype == 0 } {
       if {$static::ldap_debug} {log local0. "Bind Request with: ldap_read"}
       set writing 0
       set rebind 0
       set binding $payload
       LB::detach
       pool $static::readPool

    # If we come across a write request and are currently not 
    # sending data to the write pool, detach, and set the rebind 
    # flag so we can send the bind packet before we actually send 
    # our write request
    } elseif {[matchclass $msgtype equals $::ldap_writes] and $writing != 1} { 
       if {$static::ldap_debug} {log local0. "Rebinding with: ldap_write"}
       set rebind 1
       set writing 1
       set replayop $payload
       TCP::payload replace 0 [TCP::payload length] $binding
       LB::detach
       pool $static::writePool

    # If we come across a read request while we are bound to a write server
    # we need to detach and rebind with a read server from the read pool
    } elseif {![matchclass $msgtype equals $::ldap_writes] and $writing == 1} {
       if {$static::ldap_debug} {log local0. "Rebinding with: ldap_read"}
       set rebind 1
       set writing 0
       set replayop $payload
       TCP::payload replace 0 [TCP::payload length] $binding
       LB::detach
       pool $static::readPool
    }
    TCP::release
    TCP::collect
}

when SERVER_CONNECTED {
    # A change in the type of request has been detected
    # requiring a rebind, we've sent the bind now we need to
    # wait for the response before we send the actual request
    if { $rebind == 1 } {
        TCP::collect
    }
}

when SERVER_DATA {
    if { $rebind == 1 } {
        set rebind 0
        # See above for details on this block.  Stupid iRules, no proc grrrr
        set payload [TCP::payload]
    
        # Pull the first 2 bytes.  
        binary scan $payload H2c ber_t ber_len
        set len_bytes 0
        if { [expr [expr ($ber_len + 0x100) % 0x100] & 128] > 0 } {
            set len_bytes [expr [expr ($ber_len + 0x100) % 0x100] & 127]
        }
            
        binary scan $payload x[expr 3 + $len_bytes]c msgid_bytes

        binary scan $payload x[expr 4 + $len_bytes + $msgid_bytes]c msgtype

        set msgtype [expr $msgtype & 31]

        # If the msgtype we have here is for a bind response just discard 
        # it as we don't need to send it to the client
        if {$msgtype == 1 } {
            TCP::payload replace 0 [TCP::payload length] ""
        }
        # Now send the actual read or write op to the server
        # It should now have processed the bind
        TCP::respond $replayop
    }
    TCP::release
}

# v9 compatible version

when RULE_INIT {
    # Read Pool
    set ::readPool sun_ldap_read

    # Write Pool
    set ::writePool sun_ldap_write

    # Turn on debugging
    set ::debug 0

    # A lookup table for debugging
    array set ::msg_types {
           0 "bind request"
           1 "bind response"
           2 "unbind request"
           3 "search request"
           4 "search response"
           6 "modify request"
           7 "modify response"
           8 "add request"
           9 "add response"
          10 "delete request"
          11 "delete response"
          12 "modifydn request"
          13 "modifydn response"
          14 "compare request"
          15 "compare response"
          16 "abandon request"
          23 "extended request"
          24 "extended response"
    }
}

when CLIENT_ACCEPTED {  
    set rebind 0
    set binding ""
    set replayop ""
    set writing 0
    TCP::collect
}

when CLIENT_DATA {
    # Grab the current payload collected
    set payload [TCP::payload]

    # Pull the first 2 bytes.  
    binary scan $payload H2c ber_t ber_len

    # The first byte is the tag signifying an LDAP message, 
    # Always is hex 30, if that is not so reject

    if { $ber_t ne "30" } {
        reject
        return
    }

    # The second byte is one of two values:
    #       a) The length of the packet minus the above
    #          defining byte and the length byte
    #    OR 
    #       b) an octet describing how many subsequent bytes
    #          hold the packet length
    # In either case the message type (what we are after)
    # follows the message id field which too can be a variable
    # number of bytes. 

    set len_bytes 0
    if { [expr [expr ($ber_len + 0x100) % 0x100] & 128] > 0 } {
        set len_bytes [expr [expr ($ber_len + 0x100) % 0x100] & 127]
    }

    # How many bytes is the message id
    binary scan $payload x[expr 3 + $len_bytes]c msgid_bytes

    # The message type is then 4 bytes + number length bytes + number of
    # message id bytes offset.
    binary scan $payload x[expr 4 + $len_bytes + $msgid_bytes]c msgtype

    # msgtype - BER encoded value, bits 1-5 are the actual 
    # type, 6 is the data type, 7-8 are the data class  
    # Here we only care about the lower 5 bits
    set msgtype [expr $msgtype & 31]

    if {$::debug and 
        [catch {
              log local0. "message type is: $::msg_types($msgtype) $msgtype"
         }
        ] 
       } {
       log local0. "Bad message type: $msgtype"
       reject
    }

    # Each connection should start with a bind request
    # We'll save this packet for later rebinding when we 
    # flip between servers
    if { $msgtype == 0 } {
       if {$::debug} {log local0. "Bind Request with: ldap_read"}
       set writing 0
       set rebind 0
       set binding $payload
       LB::detach
       pool $::readPool

    # If we come across a write request and are currently not 
    # sending data to the write pool, detach, and set the rebind 
    # flag so we can send the bind packet before we actually send 
    # our write request
    } elseif {[matchclass $msgtype equals $::ldap_writes] and $writing != 1} { 
       if {$::debug} {log local0. "Rebinding with: ldap_write"}
       set rebind 1
       set writing 1
       set replayop $payload
       TCP::payload replace 0 [TCP::payload length] $binding
       LB::detach
       pool $::writePool

    # If we come across a read request while we are bound to a write server
    # we need to detach and rebind with a read server from the read pool
    } elseif {![matchclass $msgtype equals $::ldap_writes] and $writing == 1} {
       if {$::debug} {log local0. "Rebinding with: ldap_read"}
       set rebind 1
       set writing 0
       set replayop $payload
       TCP::payload replace 0 [TCP::payload length] $binding
       LB::detach
       pool $::readPool
    }
    TCP::release
    TCP::collect
}

when SERVER_CONNECTED {
    # A change in the type of request has been detected
    # requiring a rebind, we've sent the bind now we need to
    # wait for the response before we send the actual request
    if { $rebind == 1 } {
        TCP::collect
    }
}

when SERVER_DATA {
    if { $rebind == 1 } {
        set rebind 0
        # See above for details on this block.  Stupid iRules, no proc grrrr
        set payload [TCP::payload]
    
        # Pull the first 2 bytes.  
        binary scan $payload H2c ber_t ber_len
        set len_bytes 0
        if { [expr [expr ($ber_len + 0x100) % 0x100] & 128] > 0 } {
            set len_bytes [expr [expr ($ber_len + 0x100) % 0x100] & 127]
        }
            
        binary scan $payload x[expr 3 + $len_bytes]c msgid_bytes

        binary scan $payload x[expr 4 + $len_bytes + $msgid_bytes]c msgtype

        set msgtype [expr $msgtype & 31]

        # If the msgtype we have here is for a bind response just discard 
        # it as we don't need to send it to the client
        if {$msgtype == 1 } {
            TCP::payload replace 0 [TCP::payload length] ""
        }
        # Now send the actual read or write op to the server
        # It should now have processed the bind
        TCP::respond $replayop
    }
    TCP::release
}
Published Mar 18, 2015
Version 1.0
application delivery
devops
iRules
proxy
  • SysTopher's avatar
    SysTopher
    Icon for Nimbostratus rankNimbostratus
    Jan 15, 2016
    The first thing my F5 complains about is: 01070151:3: Rule [/Common/LDAP_PROXY_irule] error: /Common/LDAP_PROXY_irule:1: error: [command is not valid in the current scope][class ldap_writes { 6 8 10 12 }]
  • Adam_Ali_246975's avatar
    Adam_Ali_246975
    Icon for Nimbostratus rankNimbostratus
    Jan 30, 2016
    Hi Richard, nice iRule. I have the same requirement but we are running version 10.2.0 of F5 BIG-IP. is that a problem or the iRule still supported under version 10.x? Also for the ldap_write servers, I need to handle failover. One of the two write servers should be active at any given time and if the server is not responding, then the server should be marked down and the other one becomes enabled to receive the write request. Have you wrote any LDAP monitor to cover that under BIG-IP v10.x?
  • Kai_Wilke's avatar
    Kai_Wilke
    Icon for MVP rankMVP
    Feb 29, 2016
    Hi Richard, I've just developed a LDAP-StartTLS Proxy iRule. Initially I've started to recycle some parts of your iRule, but then decided to write a new BER parsing logic to make it a little less complicated (e.g. Bit-Mask compare for long form length detection) and to become more BER compliant (e.g. allow long form integer length values). Anyhow, your iRule was still a good starting point for me. You'll find the LDAP-StartTLS Proxy iRule here...https://devcentral.f5.com/s/articles/ldap-starttls-extension-to-ldaps-proxy Cheers, Kai
  • Ganesh_Garg's avatar
    Ganesh_Garg
    Icon for Nimbostratus rankNimbostratus
    May 21, 2018

    Hello Kai,

    I have a requirement to capture the LDAP request(UID) in the F5 logs. we have LDAP virtual server configured on port 636. request you to please help in creating the IRULE. I have tried the below IRULE, But it only captures the client IP with event Client_Accepted. seems that ClientSSL_DATA is not even triggered.

    when CLIENT_ACCEPTED {

TCP::collect
log local0. "Ldap query from [IP::client_addr]:[TCP::client_port] to [IP::local_addr]:[TCP::local_port]"
TCP::release
}

when CLIENTSSL_HANDSHAKE {
    SSL::collect
}
when CLIENTSSL_DATA {
 set payload [SSL::payload]
    log local0. "LDAP query with UID [SSL::payload]"
    SSL::release
}
  • Scott_Larson's avatar
    Scott_Larson
    Icon for Nimbostratus rankNimbostratus
    Oct 08, 2022

    Are there any more recent examples of an iRule (or iRules LX) which are written to break up LDAP requests and operate on them?  These are all written 6+ years ago.  Is there anything more current out there?

    I'm looking for any iRules that can parse (cleartext) LDAP requests (Bind, Search, Add, Modify, Delete) to call iRulesLX functions to handle each of those LDAP operations (Bind, Search, Add, Modify, Delete) in a custom manner (some of the data we'll send directly on to ActiveDirectory after some massaging, others we'll send to our RDBMS to store).

    Does anyone have anything more current than this (which was a fine example in it's day)....