Forum Discussion
Kai_Wilke
Jan 24, 2016MVP
Hi SysTopher,
I've polished my test code a little...
The iRule would forward the LDAP(S) requests to a different pool, if the username of the initial simple-bind request matches any of the $static::other_domains strings. In addition it would then translate any requests to the original Base-DN to match the new Base-DN of the other LDAP instance.
Cheers, Kai
Config
when RULE_INIT {
Minimalistic simple-bind request LDAP(S) proxy with Base-DN rewrite
Configuration of the other other LDAP instance username prefix/suffixes
set static::other_domains [list "itacs\\" "@itacs.de"] ; List of lower case domain strings
Configuration of the other LDAP(S) instance pool names
set static::other_ldap_poolname OTHER_LDAP_POOL ; Value of the other pool name
set static::other_ldaps_poolname OTHER_LDAPS_POOL ; Value of the other pool name
Configuration of the Base-DN translation strings
Important: The Base-DNs MUST have the same lenght.
You have to pad SPACES to match the length
binary scan "OU=xyz,DC=your-domain,DC=tld" H* temp(dn_default) ; This is the default Base-DN
binary scan "OU=f5-team, DC=itacs, DC=de" H* temp(dn_other) ; This is the other Base-DN. Pad SPACES to match the length
set static::other_base_dn_map [list $temp(dn_default) $temp(dn_other)]
unset -nocomplain temp
}
LDAP:386 iRule
when CLIENT_ACCEPTED {
TCP session init
set session_binding_ldap 1
set session_other_active 0
Collecting TCP data
TCP::collect
}
when CLIENT_DATA {
if { $session_binding_ldap } then {
Searching for simple Bind request to the other LDAP instance
set session_binding_ldap 0
foreach temp(domain_string) $static::other_domains {
if { [string tolower [TCP::payload]] contains $temp(domain_string) } then {
Forwarding the request to the other LDAP instance
set session_other_active 1
pool $static::other_ldap_poolname
log -noname local0.debug "LDAP simple bind request for other LDAP instance detected. Forwarding the connection to pool [LB::server pool]"
break
}
}
if { $session_other_active == 0 } then {
Forwarding the request to the default LDAP instance
log -noname local0.debug "LDAP request for default LDAP instance detected. Forwarding the connection to pool [LB::server pool]"
Releasing TCP data
TCP::release
unset -nocomplain temp
}
}
if { $session_other_active } then {
Translating Base-DNs for the other LDAP instance
binary scan [TCP::payload] H* temp(hex_tcp_payload)
set temp(new_tcp_payload) [binary format H* [string map $static::other_base_dn_map $temp(hex_tcp_payload)]]
TCP::payload replace 0 [string length [TCP::payload]] $temp(new_tcp_payload)
Releasing TCP data
TCP::release
Collecting further TCP data
TCP::collect
unset -nocomplain temp
}
}
LDAPS:636 iRule
when CLIENTSSL_HANDSHAKE {
SSL session init
set session_binding_ldap 1
set session_other_active 0
Collecting SSL data
SSL::collect
}
when CLIENTSSL_DATA {
if { $session_binding_ldap } then {
Searching for simple Bind request to the other LDAPS instance
set session_binding_ldap 0
foreach temp(domain_string) $static::other_domains {
if { [string tolower [SSL::payload]] contains $temp(domain_string) } then {
Forwarding the request to the other LDAP instance
set session_other_active 1
pool $static::other_ldaps_poolname
log -noname local0.debug "Bind request for other LDAPS instance detected. Forwarding the connection to pool [LB::server pool]"
break
}
}
if { $session_other_active == 0 } then {
Forwarding the request to the default LDAPS instance
log -noname local0.debug "LDAPS request for default LDAPS instance detected. Forwarding the connection to pool [LB::server pool]"
Releasing SSL data
SSL::release
unset -nocomplain temp
}
}
if { $session_other_active } then {
Translating Base-DNs for the other LDAPS instance
binary scan [SSL::payload] H* temp(hex_ssl_payload)
set temp(new_ssl_payload) [binary format H* [string map $static::other_base_dn_map $temp(hex_ssl_payload)]]
SSL::payload replace 0 [string length [SSL::payload]] $temp(new_ssl_payload)
Releasing SSL data
SSL::release
Collecting further SSL data
SSL::collect
unset -nocomplain temp
}
}