Possible to query LDAP from an Irule?

Hey Jason,

 

 

I've not done it on BigIP, but I've queried LDAP in some pretty odd circumstances, and can't think of a reason off-hand that you couldn't do a query via TCP.

 

 

The problem I see with it is more one of "best use". You're going to add latency. A lot of latency if you are doing it with each user - you've got enough traffic to warrant putting a BigIP in, so can you afford the cost of hitting an external LDAP server in an iRule that will get hit a LOT?

 

 

If so, let's talk. Like I said, I haven't done it on a BigIP, but I'm willing to play with it and see what we can get running, or offer you advice on where to look.

 

 

Don.

This is one of the concerns I thought of. However would it be possible to persist the attribute so that it only does the LDAP query for a new session? I think we could take the latency hit on the initial connection, our use case is that once users are logged in they stay logged in for long periods of time and we don't have huge numbers of users logging in. We are already doing LDAP authentication at the bigip. I'd like to give this a shot. If you can point me in the right direction that would be greatly appreciated.

 

Thanks,

 

Jason

Hey Again Jason,

 

 

I know we can persist data, I don't know the amount we can persist.

 

 

So short answer is: "Yes, I think this can be done."

 

 

The long answer is: "I'm still getting my feet under me here, let me ping Colin about some concerns I have (and ask about anything I my not have thought of), and I'll contact you via email so we don't flood the list with our communications."

 

 

Is that okay? Fair warning, I'll be figuring it out with you, but I'm confident we can get it running.

 

 

Don.

Ok so it looks like to try this out I will have to upgrade to 9.2. This isn't a problem will probably take me a day or two to get it done. Feel free to contact me via email to discuss next steps.

 

 

The other article mentions also possibly using data group list with icontrol. What is the largest number of entries I can safely put in a data group list. We may have up to 30000-40000 entries is this possible in a data group list?

 

 

Thanks a lot for everyones help in getting me pointed in the right direction for this.

 

Jason

I was looking for answers to another problem I have when I came accross a command that I think could be used to solve my problem. I would like to get your inputs on this. The command is AUTH::response_data it is only available in 9.4.0. The wiki entry is here http://devcentral.f5.com/wiki/default.aspx/iRules/AUTH__response_data.html

 

 

Since I'm just trying to make pool decisions based on group membership it looks like this will work for me. Please let me know what you all think. Also if you know whether or not 9.4.0 is ready for production.

 

Thanks,

 

Jason

Hi, Jason,

 

 

Have you get the answer for querying LDAP from an Irule.?

 

 

I got a problem which is eactly the same with what you want to do. I need select server based on the TCP::payload, but the entries in data group might be more than 160K, so data group can not work. We have to put all the entries to an external ldap server, then use rule to query it.

 

 

If you have solved this problem, please let me know how you make it work.

 

 

Regards,

 

 

David Wang

 

 

Has any progress on making an LDAP query from an iRule been made in recent versions? If so, can you provide details? I have a customer who is interested in load balancing HTTP traffic by selecting the pool based on LDAP query results. The search base and filters could potentially need to be changed per URI.

 

 

What's the latest on this?

 

 

Here are a few related posts I could find:

 

 

unRuleY - Sept 2005

 

 

Unfortunately, we use PAM for the backend of the auth engine and it only returns a boolean (authorized/not authorized). We have been looking at ways to allow querying a directory service for specific attributes, but nothing is currently planned for a release.

 

http://devcentral.f5.com/default.aspx?tabid=53&view=topic&forumid=5&postid=44724479

 

 

Querying different Group DNs

 

 

I got the answer from F5-Support, that it isn't possible to query different Group DNs:

 

"When you configure the LTM for a LDAP authentication, you can only configure on DN entry. That's why you have to choose the parent DN of the users groups and not try to set the users groups DNs themselves.

 

I would also suggest you read the following document :

 

https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm_sol_guide_943/sol_app_auth.html"

 

http://devcentral.f5.com/Default.aspx?tabid=53&forumid=5&tpage=1&view=topic&postid=30983

 

 

Aaron

Any update about this thread? I'm coming cross the same requirement, need to query attribute from LDAP for a SLB decision.

 

 

The simplest option for this now is to use APM (Access Policy Manager) to query LDAP and make load balancing decisions based on the returned attributes.

 

 

Aaron

Hoolio,

 

 

What if we are using 10.2.1 and don't have APM. Do you have an example of an iRULE that queries and LDAP VIP for an attibute response?

 

 

Thanks,