Unbind your LDAP servers with iRules

LDAP is one of the most widely used authentication protocols around today. There are plenty of others, but LDAP is undeniably one of the big ones. It comes as no surprise then that we often hear diff...
Published Oct 09, 2008
Version 1.0
application delivery
automation
BIG-IP
dev
devops
iRules
management
monitoring
news
tech tip
Nat_Thirasuttakorn's avatar
Nat_Thirasuttakorn
Icon for Employee rankEmployee
Apr 21, 2009
answer to michaelwingender's question:

 

I believe most LDAP implementations support implicit unbind when TCP connection is closed. However, I am not LDAP expert at all. I know LDAP from Networking perspective not LDAP admin. So any feedback is very appreciated.

 

answer to rasputnik's question:

 

Yes, this iRule intends to demonstrate simple technique to keep server connection open. It is assume that servers support rebind in the same TCP connection. It is also possible to use iRule to strip off bind message.

 

This iRule is suitable for simple and secure environment such as between web-tier and application tier. To use this technique in a more secure way, security check should be added to the iRule, for example, make sure the first message from client is a bind message, restrict access to some IP addresses, etc.

 

answer to tbernath's question

 

1) the client is binding on each request, I want to eat those on the F5

 

you can use the same technique. This iRule detects unbind message type (which is 2) at the below line

 

if { [expr $ber_type & 0x1f] == 2 } {

 

You may just change it to 0. (bind request message type is one). Don't detach, swallow the bind request using TCP::payload command and send bind successful to client with TCP::respond. Here is a basic example

 

if { [expr $ber_type & 0x1f] == 0 } {

 

TCP::payload replace 0 [TCP::payload length] ""

 

TCP::respond $bind_success

 

}

 

If client always use message id 1, anonymous bind and same bind dn, this bind response message may always be the same. Otherwise, you may need to craft bind_response message on the fly.

 

2) do the rebind automatically

 

One technique that you can use is to save previous Client's bind message for reuse. Once there is a need to rebind. You can either put the saved bind message in the beginning of TCP::payload or use TCP::respond in server_connected event. here is an example:

 

TCP::payload replace 0 0 $save_bind_message

 

to save bind message, you may simply catch it in the first time that client send bind message and perform this.

 

set save_bind_message [TCP::payload]

 

(assume TCP::payload only contain bind message)

 

This technique may only work with simple authentication and not SASL. SASL may require more complicated iRule or it may not be possible at all.

 

If you have further questions, please post them to iRule forum. (Usually, I don't monitor this page and I have to sorry for late reply)

 

Thank you very much for all questions and comments,

 

Nat