Forum Discussion

pponte's avatar
pponte
Icon for Altostratus rankAltostratus
Jan 10, 2020

Insert client ip address on ldap VS

Hello team,

I have a question I hope someone can answer.

We have received a request to know if there is any chance to add client ip address on an ldap query.

We have an ldap and ldaps virtual server with SNAT (can't disable it because F5 is not default gateway) and AD administrators requested it they could receive client ip address to know which device is sending login authentication failures.

I have been investigating but couldn't find how to to do this. I don't know if this should be by creating an iRule to modify tcp payload or tcp options.

Has anybody done this?

 

Thanks in advance.

application delivery
client_ip_address
iRules
ldap
LTM

3 Replies

Sort By
  • Simon_Blakely's avatar
    Simon_Blakely
    Icon for Employee rankEmployee
    Jan 19, 2020

    There is no mechanism in the LDAP request protocol for passing a client IP address to the server when a SNAT is involved (in HTTP we would use X-Forwarded-For, but there is no LDAP equivalent).

     

    You could write an iRule that logs the client IP and server-side TCP port to a remote logging server (i.e syslog or splunk) via High Speed Logging for matching requests to client IP.

  • pponte's avatar
    pponte
    Icon for Altostratus rankAltostratus
    Jan 20, 2020

    Hello,

    I created an iRule to log the traffic (on a lab environment) just for testing purposes.

    when SERVER_CONNECTED {
 
   set client "[IP::client_addr]:[TCP::client_port]"
 
   set snat "[IP::local_addr]:[TCP::local_port]"
 
   set node "[IP::server_addr]:[TCP::server_port]"
 
   }
 
when CLIENT_CLOSED {
 
   log local0. "Client $client -> SNAT: $snat -> Node: $node"
 
   }

    So, I could get a line whith required information.

    Jan 20 16:54:33 LAB-ld1f5t info tmm6[32493]: Rule /Common/iRule_logging_traffic <CLIENT_CLOSED>: Client 10.71.70.67:34243 -> SNAT: 10.71.70.67:34243 -> Node: 10.71.72.154:389

    Should I set HSL in order to keep cpu and resources low?

    Thank you for your help.

  • Simon_Blakely's avatar
    Simon_Blakely
    Icon for Employee rankEmployee
    Jan 20, 2020

    > Should I set HSL in order to keep cpu and resources low?

     

    Yes - the BigIP is not optimized for disk I/O and logging, and has limited storage for such logs - using an HSL log destination sends the logs out via tmm (network interface) to a remote syslog device that is specifically optimized for logging and data storage/retrieval.