ldap healtcheck script

sean.cheney · ‎04-09-2008

recently my directory folks asked if we could run a more sophisticated script then the included on one the CSS for health checking directory servers, specifically they want to do a credentials bind vs. the anonymous one that is included.

I figured it would be a long shot, but would ask here if anyone has created a ldap script for there CSS that uses credentials to perform a healthcheck.

If not, two strategies are to 1) figure out the command sequence and script that or 2) get a trace of transaction and lift the hex out of it.

I was hoping someone had done #1.

cheers

ciscocsoc · ‎04-09-2008

Hi Sean,

The easiest way is to capture a packet with the authentication credentials and then replace the hex bind string in the example.

The alternative is to handcode the BER coded ASN.1 data string - which while fun is time consuming. The remainder of the script can stay the same.

I've done this on an ACE module. You have to be aware that 300c02010160 in the example script string is a sort of "header" that holds the request id (1). This will be different in your packet capture.

If you look at the decomposition of the example you'll be able to see how it is put together and what you need to change.

0x30 The start of a universal constructed sequence

0x0c The length of the sequence minus the tag and length bytes = 12 bytes

0x02 Next field is an integer

0x01 The length of the next field (1 byte)

0x01 Value (this is the message ID)

0x60 Application, number 0, use RFC2251 to decode. This is a Bind Request

0x07 Length of data to follow.

0x02 Integer

0x01 Length 1

0x03 3 - this is the LDAP version.

0x04 String

0x00 Length 0

0x80 Simple Authentication

0x00 Length 0

Just keep the id the same in the unbind.

The string I use is:

302d02010160280201030418636e3d41636550726f78792c6f3d556e69766572736974798009ffffffffffffffffff

where I've replaced the 9 character password with 9*x'ff'.

HTH

Cathy