Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
541
Views
0
Helpful
2
Replies

TCL script for ldap probes

Go to solution
ssieger
Level 1
Level 1

‎05-11-2009 04:42 AM

Hi,

i trie to compose a tcl script to check the health of some ldap-servers by doing a bind request with a user called cn=LDAPTEST,ou=TEST,o=TEST, password test. I've converted the text into hex and pasted it into the appropriate section of the script:

# puts a string to server

csm_debug "sending ldap bind request"

puts -nonewline $sock [ binary format "H*" 636e3d4c44... and so on

But the reals retain the status "probe_failed". Is there something missing in the bind request. I'm not well schooled in ldap and tcl-scripting, but maybe somebody is...:-)

TIA,

Stephan

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Gilles Dufour
Cisco Employee
Cisco Employee

‎05-11-2009 05:34 AM

Stephan,

get a sniffer trace and see what the response from the ldap server is.

Compare the resposne from the server to what you get when you do a successful ldap query from a pc.

G.

View solution in original post

0 Helpful

Go to solution
ciscocsoc
Level 4
Level 4

‎05-11-2009 08:02 AM

Hi Stephan,

You've almost got it right, but you've gone wrong somewhere because you aren't sending a valid ASN.1 datastring. You're missing the "header" from the ASN.1 string and just launching into a bind request.

I've answered this question before. If you search the forum for "ldap healtcheck script" - and yes the typo is real then you'll see what I did.

I reckon your string needs to be something like:

302a0201016028020103041a636e3d4c444150544553542c6f753d544553542c6f3d54455354800474657374

to create a bind request with cn=LDAPTEST,OU=TEST,O=TEST password test.

As mentioned in an earlier response the easiest way is to get do a packet capture and then paste the hex into your script.

HTH

Cathy

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Gilles Dufour
Cisco Employee
Cisco Employee

‎05-11-2009 05:34 AM

Stephan,

get a sniffer trace and see what the response from the ldap server is.

Compare the resposne from the server to what you get when you do a successful ldap query from a pc.

G.

0 Helpful

Go to solution
ciscocsoc
Level 4
Level 4

‎05-11-2009 08:02 AM

Hi Stephan,

You've almost got it right, but you've gone wrong somewhere because you aren't sending a valid ASN.1 datastring. You're missing the "header" from the ASN.1 string and just launching into a bind request.

I've answered this question before. If you search the forum for "ldap healtcheck script" - and yes the typo is real then you'll see what I did.

I reckon your string needs to be something like:

302a0201016028020103041a636e3d4c444150544553542c6f753d544553542c6f3d54455354800474657374

to create a bind request with cn=LDAPTEST,OU=TEST,O=TEST password test.

As mentioned in an earlier response the easiest way is to get do a packet capture and then paste the hex into your script.

HTH

Cathy

0 Helpful
Customers Also Viewed These Support Documents