APM LDAP by path

I'm trying to figure out a means to allow different LDAP query limits for different paths on the same server.

https://example.com/italyonly/ - co=it
https://example.com/groupFoo/ user in in group=foo
https://example.com/employees/ user has workforce=yes
https://example.com/italyonly/employees/ co=it AND workforce=yes

I can add the various ldap queries to a string datagroup indexed by hostname/path (as the virtual server will hopefully handle other servernames too) and insert them into a session.ldapsearch through use of a table/subtable. I tried just variables, but the iRule event ACCESS_POLICY_AGENT_EVENT does not appear to "see" variables created in other sections of the same iRule. This is further complicated when using http2 as request events can happen in different iRule context.

The issue is if I create an "LDAP Query" instance in the APM flow and use something like:

(cn=%{session.oauth.client.last.id_token.cn})

This works fine, but something like:

(&(cn=%{session.oauth.client.last.id_token.cn})(%{session.ldapsearch}))

Does NOT work as session.ldapsearch is RFC-4515 escaped as if it were a single entity instead of a formatted search.

How do people add different LDAP checks for differnt paths on a server using APM?

If this were just a single group membership, I think inserting the one "group name" needed for each host/path would be fairly straight forward.

I would hope that the requested url path would be found in session.server.landinguri but so far I'm testing things in the iRule using variants of [HTTP::host][HTTP::uri] for the lookups.

devops

security

11 Replies

Lucas_Thompson
Employee
Dec 14, 2022
There is a BIG-IP sys db variable that controls this escaping behavior of APM session variables sent to an LDAP query function in APM: apm.ldap.autoescape

To change it from the CLI,

tmsh modify sys db apm.ldap.autoescape value disable
tmsh save sys db
- TimRiker
  Cirrocumulus
  Dec 14, 2022
  That looks exactly like what I want, but unfortunately it does not seem to work.
  Is there anything else I need to do? With this changed and saved, restarted tmm, failed over to another node, failed back, db entry is "disabled" as shown:
  tmsh list sys db apm.ldap.autoescape one-line sys db apm.ldap.autoescape { value "disable" }
  And SearchFilter set to something like:
  (&(cn=%{session.oauth.client.last.id_token.cn})(%{session.ldapsearch}))
  I still get errors like:
  2022-12-13T20:33:35.393-07:00 xxxx warning apmd[8859]: 01490233:4: /Common/access_xxxx:Common:895b427c: LDAP Module: Cannot find any object in search DN 'ou=people,o=org' matching filter '(&(cn=something)(field=\2a))'
  when session.ldapsearch = "field=*"
  Running BIG-IP 15.1.5.1
  - Lucas_Thompson
    Employee
    Dec 14, 2022
    Shoot. Sorry I misunderstood the internal writeup on this. Instead of not escaping itself it looks like it expects *you* to escape it manually. Can you try setting it to "\66\69\65\6C\64\3D\2A"? That should be "field=*".
    
    You're going to have to double-escape them inside the iRule or policy agent config. TCL gets weird with escaping sometimes. The example I've got from bigip.conf where the variable is being set from a var-assign policy agent to "medusademo" to formulate a search filter is:
    
    apm policy agent variable-assign /Common/ldaptest_act_variable_assign_ag { variables { { expression "expr { \"\\\\59\\\\87\\\\FB\\\\A6\\\\AB\\\\1E\\\\D7\\\\40\\\\BE\\\\F8\\\\C7\\\\66\\\\C7\\\\DE\\\\CD\\\\56\" }" varname session.objectguid.foo } } }
    
    apm policy agent aaa-ldap /Common/ldap_query_bar_act_ldap_query_ag { filter "objectGUID=%{session.objectguid.foo}" search-dn cn=users,dc=lab,dc=apm,dc=f5test,dc=local server /Common/ldapQATest4 type query }
    
    If it doesn't work at first, packet capture a plaintext LDAP query so you can see what it's sending on the wire, the escaping might not be exactly right.
Lucas_Thompson
Employee
Dec 19, 2022
OK, great, it sounds like you've found this setting doesn't fuction correctly in your version. Can you get a support case open so we can investigate further? The DB setting is definitely supposed to disable escaping altogether.
- TimRiker
  Cirrocumulus
  Dec 19, 2022
  Lucas_Thompson
  Where is this db setting documented? It's hard to report "not working as documented" when I can't find any documentation.
TimRiker
Cirrocumulus
Dec 30, 2022
I've opened support case 00332440 on Dec 19th which, so far, has not gotten any progress.
- Leslie_Hubertus
  Ret. Employee
  Jan 04, 2023
  Hey TimRiker - happy new year! Any update on this?
  - TimRiker
    Cirrocumulus
    Jan 05, 2023
    Thanks for checking in, Leslie_Hubertus. Last reply from F5 on the open ticket was on Dec 30th.
    I still have not found any documentation on apm.ldap.autoescape

Forum Discussion

APM LDAP by path

11 Replies

Recent Discussions

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Enabling AVR and creating Profiles

Get associated pool name from VIP IP using F5-LTM

Disacard SSL::cert mode to ignore when default SSLClient profile is set to request or require

About custome Response Blocking Page

Related Content

TMOS Version Update Paths

Redirect the domain name on URL, but keep path as the original URI path

Geolocation accept per url path

LDAP Proxy

APM LDAP auth agent ldap bind works but search fails..