CSS keepalive script for LDAP

Answered Question
Feb 18th, 2010
User Badges:

I am trying to write a script for detecting the status of an LDAP server on a CSS. I figured out that I should capture the binary send and receive data of the LDAP query. I captured the request and response packets. But I have no idea of which part of the binary data (and how) I should put into the stock LDAP keepalive script. Could someone put me in the right direction?


Thanks a lot.

Daniel

Correct Answer by Gilles Dufour about 7 years 3 months ago

Just look at the existing ldap script


CSS11503-2# sho script ap-kal-ldap
!no echo
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
! Filename: ap-kal-ldap
! Parameters: HostName
!
! Description:    "Lightweight Directory Access Protocol v3"
!   This script will connect to an LDAP server and attempt to
!   "bind request" to the server.  Once the server gives a
!   positive response we will disconnect (RFC-2251).
!
! Bind Response Code we will search for is: 0x0a 0x01 0x00
!
! Failure Upon:
!   1. Not establishing a connection with the host.
!       2. Failure to receive the above response code.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!


! Make sure the user has a qualified number of arguments
if ${ARGS}[#] "NEQ" "1"
        echo "Usage: ap-kal-ldap \'Hostname\'"
        exit script 1
endbranch


! Defines:
set HostName "${ARGS}[1]"


set EXIT_MSG "Connection Failed"
! Connect to the remote host (use default timeout)
socket connect host ${HostName} port 389 tcp 2000


set EXIT_MSG "Send: Failure"
! Send a Bind Request to the remote host.  This is simply a standard
! "capture" of a bind request in hex.  This should work for all standard
! version 3 LDAP servers.
socket send ${SOCKET} "300c020102600702010204008000" raw


set EXIT_MSG "Recieve: Failure"
! Expect to receive a standard response from the host.  This should
! be equal to a SUCCESS response code:
socket waitfor ${SOCKET} "0a0100" 2000 raw



set EXIT_MSG "Send: Failure"
! Send an exit "Unbind Request" to the remote host so that they
! are not left hanging.
socket send ${SOCKET} "30050201034200" raw


no set EXIT_MSG
socket disconnect ${SOCKET}


exit script 0




CSS11503-2#


In red, you see the command to send the binary (this includes everything inside the tcp payload - after the tcp header).


In blue, you see the command to inspect received data and consider the response valid if the sequence is seens somewhere in the tcp payload of the response.


Gilles.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Gilles Dufour Thu, 02/18/2010 - 05:20
User Badges:
  • Cisco Employee,

Just look at the existing ldap script


CSS11503-2# sho script ap-kal-ldap
!no echo
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
! Filename: ap-kal-ldap
! Parameters: HostName
!
! Description:    "Lightweight Directory Access Protocol v3"
!   This script will connect to an LDAP server and attempt to
!   "bind request" to the server.  Once the server gives a
!   positive response we will disconnect (RFC-2251).
!
! Bind Response Code we will search for is: 0x0a 0x01 0x00
!
! Failure Upon:
!   1. Not establishing a connection with the host.
!       2. Failure to receive the above response code.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!


! Make sure the user has a qualified number of arguments
if ${ARGS}[#] "NEQ" "1"
        echo "Usage: ap-kal-ldap \'Hostname\'"
        exit script 1
endbranch


! Defines:
set HostName "${ARGS}[1]"


set EXIT_MSG "Connection Failed"
! Connect to the remote host (use default timeout)
socket connect host ${HostName} port 389 tcp 2000


set EXIT_MSG "Send: Failure"
! Send a Bind Request to the remote host.  This is simply a standard
! "capture" of a bind request in hex.  This should work for all standard
! version 3 LDAP servers.
socket send ${SOCKET} "300c020102600702010204008000" raw


set EXIT_MSG "Recieve: Failure"
! Expect to receive a standard response from the host.  This should
! be equal to a SUCCESS response code:
socket waitfor ${SOCKET} "0a0100" 2000 raw



set EXIT_MSG "Send: Failure"
! Send an exit "Unbind Request" to the remote host so that they
! are not left hanging.
socket send ${SOCKET} "30050201034200" raw


no set EXIT_MSG
socket disconnect ${SOCKET}


exit script 0




CSS11503-2#


In red, you see the command to send the binary (this includes everything inside the tcp payload - after the tcp header).


In blue, you see the command to inspect received data and consider the response valid if the sequence is seens somewhere in the tcp payload of the response.


Gilles.

y.lo Thu, 02/18/2010 - 05:54
User Badges:

You solved my problem. Thanks a lot!

Actions

This Discussion