ACE - LDAP TCL Script

Unanswered Question
Oct 8th, 2008

Hi,

we are using the TCL LDAP_Script as a probe scripted for LDAP server farm. The default script the Cisco provided is sending only an anonymous binding to the LDAP servers, we are trying to modify this script to sned a credential binding with username and password. Anyone done something like that before!

Your contribution is appreciated.

Hadi

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
habeelwad Wed, 10/08/2008 - 16:44

Hi Sachin,

Thanks for the links.

I talked to Cisco TAC and they said the binding request should be send as a binary and not via ASCII. Their suggestion is to get a packet capture of a succeessful credential binding request with username and password and then convert this to HEX value and insert it in the script. I have no experience with TCL scripting and I'm looking for expertise help.

Thanks,

Habeel

ciscocsoc Thu, 10/09/2008 - 00:50

Hi Habeel,

I've answered this question before. If you search the forum for "ldap healtcheck script" - and yes the typo is real then you'll see what I did.

The text is here:

The easiest way is to capture a packet with the authentication credentials and then replace the hex bind string in the example.

The alternative is to handcode the BER coded ASN.1 data string - which while more fun is time consuming. The remainder of the script can stay the same.

I've done this on an ACE module. You have to be aware that 300c02010160 in the example script string is a sort of "header" that holds the request id (1). This will be different in your packet capture.

If you look at the decomposition of the example you'll be able to see how it is put together and what you need to change.

0x30 The start of a universal constructed sequence

0x0c The length of the sequence minus the tag and length bytes = 12 bytes

0x02 Next field is an integer

0x01 The length of the next field (1 byte)

0x01 Value (this is the message ID)

0x60 Application, number 0, use RFC2251 to decode. This is a Bind Request

0x07 Length of data to follow.

0x02 Integer

0x01 Length 1

0x03 3 - this is the LDAP version.

0x04 String

0x00 Length 0

0x80 Simple Authentication

0x00 Length 0

Just keep the id the same in the unbind.

The string I use is:

302d02010160280201030418636e3d41636550726f78792c6f3d556e69766572736974798009ffffffffffffffffff

where I've replaced the 9 character password with 9*x'ff'.

The username for binding is AceProxy. If you want to use the same script then create that username and set the password in the string above (in hex). If for example you set the password to Example12 then you need to set the 9*x'ff' to '4578616d706c653132' - which is the hex representation of the ASCII.

Note that if you use fewer or more than 9 characters then you'll need to change other values in the string because they refer to lengths.

HTH

Cathy

habeelwad Thu, 10/09/2008 - 13:19

Hi Cathy,

Thanks for the response. Although your answer is so detailed but I'm getting greedy here!! Is it possible to show me an example where the the binary will be included with the script? Do I have to replace this line

puts -nonewline $sock [ binary format "H*" 300c020101600702010304008000 ]

with the hex value of the binding request or just replace the binary.

Also, is it possible to input the user name and password as an argument within the scripted probe configuration on the ACE.

Thanks,

Habeel

ciscocsoc Thu, 10/09/2008 - 23:11

Hi Habeel,

You need to create a copy of the standard LDAP probe into your own file and then replace the hex string in the "puts" line which you identified above with the new string.

Then copy the file to the ACE:

ace1/ldap# copy ftp: disk0:

Enter source filename[]? My-LDAP_PROBE

Enter the destination filename[]? [My-LDAP_PROBE]

Enter hostname for the ftp server[]?

1.2.3.4

Enter username[]? anonymous

Enter the file transfer mode[bin/ascii]: [bin]

Password:

Passive mode on.

Hash mark printing on (1024 bytes/hash mark).

##

In the context create a scripted probe definition:

probe scripted PROBE-LDAP-389

interval 60

receive 20

script My-LDAP_PROBE

Load the script into the context:

script file 10 My-LDAP_PROBE

And then add it to the serverfarm:

serverfarm host FARM-LDAP

probe PROBE-LDAP-389

The manual implies that you can pass arguments to a scripted probe, but you would then have to build the hex string dynamically - taking care that all the length values were correct.

This should be enough to enable you to implement the script. I'm not going to write the script for you - but someone else might.

HTH

Cathy

Richard Bradfield Tue, 11/01/2011 - 14:45

I have followed this thread to create my own Ldap probe with the following credentials

C N = s v c - L B L D A P , O U = L o a d B a l a n c e r , O u = S i m n e t   S e r v i c e   A c c o u n t s , O U = S i m n e t   U s e r s , D C = s i m n e t a d , D C = s i m p l o t , D C = c o m , D C = a u

plus a 10 digit password

hex as follows

3082020101607d020103046c434e3d7376632d4c424c4441502c

4f553d4c6f616442616c616e6365722c

4f553d53696d6e65742053657276696365204163636f756e74732c

4f553d53696d6e65742055736572732c

44433d73696d6e657461642c44433d73696d706c6f742c

44433d636f6d2c44433d6175800a65797a50435259564874

but it  fails with status code  : 30004  in the TCL script cannot find the 30004 error

can anybody tell me what this error code means?

ciscocsoc Wed, 11/02/2011 - 00:06

Error codes are documented in the "Server Load-Balancing Configuration Guide" Appendix A

Exit Code Description/Message

30001 Probe successful (no message)

30002 Probe error: Server did not respond as expected

30003 Internal error: Fork failed for TCL script

30004 Internal error: Script probe terminated due to timeout

30005 Internal error: TCL interpreter PANIC (interpreter

problem)

30006 Internal error: Script error

30007 Internal error: Script-file lookup failed or empty buffer

30008 Internal error: Failed to allocate memory for TCL_wt

(worker thread) qnode

30009 Internal error: Unknown script error

30010 Internal error: Out of sockets for the TCL script

30011 Internal error: Unable to read persistent variable table

30012 Internal error: PData (probe data) pointer is null

HTH

Cathy

ciscocsoc Wed, 11/02/2011 - 00:17

The cause of the immediate problem is the way in which ASN.1 codes lengths - and the fact that your string is over 127 bytes long. 

The key to understanding this problem is that there are three ways of specifying a length in ASN.1. The first way we have already seen is to use a single byte. This known as the  "definite" form and can be used for lengths of 127 bytes or less.  Otherwise if the high bit is set to one, the low seven bits define the length of length. The length is then encoded in that many bytes. This is the "length of the length field" form.  It looks like Microsoft Active Directory uses the indefinite form for all length encoding. The third form (for completeness is "indefinite" where the length is coded as x'80' and the end of the content is marked by x'0000'.

You have accidentally created an ASN.1 string that needs more that 127 bytes.  Unless you want to get into ASN.1 and recoding your hex string (it isn't difficult - just tedious) to use length-of-length format, I'd recommend lopping a few bytes from the CN to make the length which is currently x'82' to something less than x'80'.

Kind Regards

Cathy

Richard Bradfield Sun, 04/15/2012 - 22:13

Further my last post

I have managed to getr a good Wrieshark trace showing the Probe actually passed see anclosed, but still get failed returned from the script.

script details below  for response

# read string back from server

ace_debug "receiving ldap bind result"

set line [read $sock 14]

binary scan $line H* res

binary scan $line @7H6 code

ace_debug "received $res with code $code"

 

# close connection

ace_debug "closing socket"

close $sock

# make probe fail by exit with 30002 if ldap reply code != success code 0x0a0100

if { $code != "0a0100" } {

ace_debug " probe failed : expect response code \'0a0100\' but received \'$code\'"

exit 30002

}

## make probe success by exit with 30001

ace_debug "probe success"

exit 30001

 

 

Richard Bradfield Sun, 04/15/2012 - 20:31

Cathy,

Only just got back to this after many months.

I have tried different usernames and passwords, even copied the straight hex from the ACE capture into the Script file and it still does not work  comes up with "invalidcretendials"  comment:  accept security context error, data 52e,  v1db1

now to create the probe all I have done is copy the default Ldap probe (LDAP_PROBE) change the bind hex string, and save it back to Disk0: of the context I am in.

The other problem i have I cannot see the bind, The capture command on the ACE does not seem to capture probes, and when I do a capture on the Vlan interface I just see the responss not the bind ( I'll look into that one)

Any ideas?

ciscocsoc Mon, 04/16/2012 - 03:12

Hi,

It looks like you are probing a Microsoft AD LDAP server. The ASN.1 encoding used by Microsoft is "length of length". You need to look at more of the return response and take the return code from further into the response.

#  read string back from server

ace_debug "receiving ldap bind result"

set line [read $sock 20]

binary scan $line H* res

binary scan $line @15H6 code

ace_debug "recived $res with code $code"

We take in 20 bytes from the bitstream,convert it into a  hexadecimal string and finds the 6 hexadecimal characters from the 16th  byte onwards. Note: Tcl uses zero-based arrays.

HTH

Cathy

Richard Bradfield Mon, 04/16/2012 - 16:03

Cathy

Thats fixed the problem, as you can tell I am no programmer!

thanks again for all your help

Actions

This Discussion