Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Looking for ACE Probe TCL script specific for LDAPS

Hello Everyone,

I have searched the forum, and i am having difficulty finding an example of how to modify the LDAP TCL probe from port 389 to secure LDAP port 636.

Could someone kindly point me or provide me the modified TCL script if you happen to have it.

During my search I also found a config that someone had provided, which contained the following probe:

probe tcp LDAPS_Probe
  port 636
probe tcp LDAP_Probe
  port 389

I was trying to figure out if this a modified TCL script for LDAP or modifed TCP TCL script specific for port 636.

This is how I applied the script for LDAP port 389.

script file 1 LDAP_PROBE
!
probe scripted LDAP_PROBE_389
interval 5
passdetect interval 30
receive 5
script LDAP_PROBE

!

serverfarm host SF-LDAP-389
description SF LDAP Port 389
predictor leastconns
probe LDAP_PROBE_389
rserver LDAP-RS1-389
inservice

I will be more than glad to provide you any additional information that you need.

As always thanks for your input.

Raman Azizian

SAIC/NISN Network services

4 REPLIES
Cisco Employee

Re: Looking for ACE Probe TCL script specific for LDAPS

Unfortunately, there is no supported LDAPS probe for the ACE module.

 

The only supported LDAP probe on the ACE module is the unsecure scripted probe,
LDAP_PROBE. See:

 

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA2_3_0/configurat
ion/slb/guide/script.html#wp1111558
Typically, customers use a simple TCP probe for LDAPS. Example: probe tcp LDAPS_Probe   port 636 Or you could go a bit further and use the SSL scripted probe on port 636. Example: script file 1 SSL_PROBE_SCRIPT probe scripted SSL636_SCRIPT_PROBE   script SSL_PROBE_SCRIPT   port 636
New Member

Re: Looking for ACE Probe TCL script specific for LDAPS

Dear,

If you are bombing with simple TCP probe a secure LDAP server then it's syslog will be full with error.

Isn't there any real LDAPS probe for ACE with real SSL handshake?

Cisco Employee

Re: Looking for ACE Probe TCL script specific for LDAPS

normally you would engage a TCL developer or ciso advanced services to develop a custom script for anything other than what Cisco provides in canned scripts. If you are comfortable with tcl you can do it yourself. Here is an example of the LDAP script modified to include initiation via ssl.  default port is 389 when you implement you would specify 636.

#!name = LDAP_PROBE
########################################################################################
# Description:
#    LDAP_PROBE opens a TCP connection to an LDAP server, sends a bind request. and 
#    determines whether the bind request succeeds.  LDAP_PROBE then closes the 
#    connection with a TCP RST.
#
#    If a port is specified in the "probe scripted" configuration, the script probes 
#     each suspect on that port. If no port is specified, the default LDAP port 389
#     is used.
#
# Success:
#   The script succeeds if the server returns a bind response indicating success
#    (status code 0x0a0100) to the bind request.
#   The script closes the TCP connection with a RST following a successful attempt.
#
# Failure:
#   The script fails due to timeout if the response is not returned.  This
#    includes a failure to receive ARP resolution, a failure to create a TCP connection
#    to the port, or a failure to return a response to the LDAP bind request. 
#   The script also fails if the server bind response does not indicate success.
#    This specific error returns the 30002 error code.
#   The script closes any attempted TCP connection, successful or not, with a RST.
#
#  PLEASE NOTE:  This script expects the server LDAP bind response to specify length
#   in ASN.1 short definite form.  Responses using other length forms (e.g., long
#   definite length form) will require script modification to achieve success.
#
# SCRIPT version: 1.0       April 1, 2008
#    
# Parameters:
#     [DEBUG]
#      username - user login name 
#      password - password
#      DEBUG        - optional key word 'DEBUG'. default is off
#         Do not enable this flag while multiple probe suspects are configured for this 
#         script.
#
# Example config :
#   probe scripted USE_LDAP_PROBE
#         script LDAP_PROBE 
#
#  
#   Values configured in the "probe scripted" configuration populate the
#   scriptprobe_env array.  These may be accessed or manipulated if desired.
#
# Documentation:
#    A detailed discussion of the use of scripts on the ACE is included in 
#       "Using Toolkit Command Language (TCL) Scripts with the ACE" 
#    in the "Load-Balancing Configuration Guide" section of the ACE documentation set.
#
# Copyright (c) 2005-2008 by Cisco Systems, Inc.
########################################################################################

#-------------------------------------------
# debug procedure
# set the EXIT_MSG environment variable to help debug
# also print the debug message when debug flag is on
#-------------------------------------------

proc ace_debug { msg } { 
    global debug ip port EXIT_MSG

    set EXIT_MSG $msg
    if { [ info exists ip ] && [ info exists port ] } { 
     set EXIT_MSG "[ info script ]:$ip:$port: $EXIT_MSG "
    }  
    if { [ info exists debug ] && $debug } { 
     puts $EXIT_MSG
    } 
} 



#-------------------------------------------
# main 
#-------------------------------------------

# parse cmd line args and initialize variables
## set debug value
set debug 0
if { [ regsub -nocase "DEBUG" $argv "" argv] } {
    set debug 1 
} 

ace_debug "initializing variable"
set EXIT_MSG "Error config:  script LDAP_PROBE \[DEBUG\]"


set ip $scriptprobe_env(realIP) 
set port $scriptprobe_env(realPort) 
# if port is zero the use well known ldap port 389
if { $port == 0 } { 
    set port 389
}  

#####################
# PROBE START
#####################


# open connection 
ace_debug "opening socket"
set sock [  socket -sslversion all -sslcipher RSA_WITH_RC4_128_MD5 $ip $port ]
fconfigure $sock -buffering line -translation binary

# send a standard anonymous bind request
ace_debug "sending ldap bind request"
puts -nonewline $sock [ binary format "H*" 300c020101600702010304008000 ]
flush $sock

#  read string back from server
ace_debug "receiving ldap bind result"
set line [read $sock 14]
binary scan $line H* res
binary scan $line @7H6 code
ace_debug "received $res with code $code"


#  close connection
ace_debug "closing socket"
close $sock

#  make probe fail by exit with 30002 if ldap reply code != success code  0x0a0100
if {  $code != "0a0100" } { 
    ace_debug " probe failed : expect response code \'0a0100\' but received \'$code\'"
    exit 30002
} 

## make probe success by exit with 30001
ace_debug "probe success"
exit 30001



New Member

Re: Looking for ACE Probe TCL script specific for LDAPS

I know this solution but I was looking for something ready. I'm not so familiar with TCL but it seems I'll have to...

It's a kind of "pursuit of the principle of minimum energy"...

2007
Views
0
Helpful
4
Replies
CreatePlease to create content