Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1284
Views
0
Helpful
3
Replies

ACE30 Script Issues, LDAP_PROBE

slambe
Level 1
Level 1

‎05-04-2011 02:56 PM

The default script operates on an anonymous bind operation, and since Windows 2003 and beyond, MS does not support Anonymous Bind against LDAP as a default setting.  I have found a TCL script on the Internet that, when modified, returns Error Code 30002.  This seems better than I was getting with the default script, and I know that TAC cannot support modified TCL scripts.  I was wondering if I have the modified script configured correctly, and if not, what I may need to correct it.  I have posted both the default script below, as well as the modified script I am attempting.

.

Default LDAP_PROBE script without the initial comments:

#-------------------------------------------
# debug procedure
# set the EXIT_MSG environment variable to help debug
# also print the debug message when debug flag is on
#-------------------------------------------

proc ace_debug { msg } {
global debug ip port EXIT_MSG

set EXIT_MSG $msg
if { [ info exists ip ] && [ info exists port ] } {
set EXIT_MSG "[ info script ]:$ip:$port: $EXIT_MSG "

if { [ info exists debug ] && $debug } {
puts $EXIT_MSG
}
}

#-------------------------------------------
# main
#-------------------------------------------

# parse cmd line args and initialize variables
## set debug value
set debug 0
if { [ regsub -nocase "DEBUG" $argv "" argv] } {
set debug 1
}

ace_debug "initializing variable"
set EXIT_MSG "Error config:  script LDAP_PROBE \[DEBUG\]"


set ip $scriptprobe_env(realIP)
set port $scriptprobe_env(realPort)
# if port is zero the use well known ldap port 389
if { $port == 0 } {
set port 389
}

#####################
# PROBE START
#####################


# open connection
ace_debug "opening socket"
set sock [ socket $ip $port ]
fconfigure $sock -buffering line -translation binary

# send a standard anonymous bind request
ace_debug "sending ldap bind request"
puts -nonewline $sock [ binary format "H*" 300c020101600702010304008000 ]
flush $sock

#  read string back from server
ace_debug "receiving ldap bind result"
set line [read $sock 14]
binary scan $line H* res
binary scan $line @7H6 code
ace_debug "received $res with code $code"


#  close connection
ace_debug "closing socket"
close $sock

#  make probe fail by exit with 30002 if ldap reply code != success code  0x0a0100
if {  $code != "0a0100" } {
ace_debug " probe failed : expect response code \'0a0100\' but received \'$code\'"
exit 30002
}

## make probe success by exit with 30001
ace_debug "probe success"
exit 30001

Modified LDAP_PROBE script I am attempting:

#-------------------------------------------

proc ace_debug { msg } {
global debug ip port EXIT_MSG

set EXIT_MSG $msg
if { [ info exists ip ] && [ info exists port ] } {
set EXIT_MSG "[ info script ]:$ip:$port: $EXIT_MSG "
}
if { [ info exists debug ] && $debug } {
puts $EXIT_MSG
}
}

#-------------------------------------------
# main
#-------------------------------------------

# parse cmd line args and initialize variables
## set debug value
set debug 1
if { [ regsub -nocase "DEBUG" $argv "" argv] } {
set debug 1
}

ace_debug "initializing variable"
set EXIT_MSG "Error config:  script ADV_LDAP_PROBE \[DEBUG\]"

set ip $scriptprobe_env(realIP)
set port "0"

set ldap_start "30"
set ldap_bindheader "02010160"
set ldap_bind "0201"
set ldap_version "02"
set ldap_gap1 "04"
set ldap_gap2 "80"

set ldap_bindheader_len 5
set base_len 0c

set ldap_simple_auth "8007"

proc toASCII { char } {
scan $char %c value
return [format %-x $value]
}

set username "testb!nd1"
# set username [ lindex $argv 0 ]
set hexusername ""

set password "testb!nd1"
# set password [ lindex $argv 1 ]
set hexpassword ""

foreach char [split $username ""] {
set hexchar [toASCII $char]
append hexusername $hexchar
}

foreach char [split $password ""] {
set hexchar [toASCII $char]
append hexpassword $hexchar
}

set username_len [string length $username]
ace_debug $username_len

set password_len [string length $password]
ace_debug $password_len

set base_len [expr 0x$base_len]

set seq_len [expr $username_len + $password_len + $base_len]

set sub_seq_len [expr $seq_len - $ldap_bindheader_len]
set seq_len [format %02x $seq_len]
set sub_seq_len [format %02x $sub_seq_len]

set hexldapbindpckt ""
append hexldapbindpckt $ldap_start
append hexldapbindpckt "$seq_len"
append hexldapbindpckt $ldap_bindheader
append hexldapbindpckt $sub_seq_len
append hexldapbindpckt $ldap_bind
append hexldapbindpckt $ldap_version
append hexldapbindpckt $ldap_gap1
append hexldapbindpckt [format %02x $username_len]
append hexldapbindpckt $hexusername
append hexldapbindpckt $ldap_gap2
append hexldapbindpckt [format %02x $password_len]
append hexldapbindpckt $hexpassword

# if port is zero the use well known ldap port 389
if { $port == 0 } {
set port 389
}
#ace_debug $hexldapbindpckt

#####################
# PROBE START
#####################

set errorcode [catch {
set sock [ socket $ip $port ]
} msg ]
if {$errorcode != 0} {
ace_debug $msg
exit 30002
}

fconfigure $sock -buffering line -translation binary

# anonymous bind request
#puts -nonewline $sock [ binary format "H*" 300c020101600702010304008000 ]

puts -nonewline $sock [ binary format "H*" $hexldapbindpckt ]

set code "ffffff"
flush $sock
ace_debug "bef"
set line [read $sock 22]
ace_debug "aft"
binary scan $line H* res
binary scan $line @15H6 code
close $sock

#  make probe fail by exit with 30002 if ldap reply code != success code  0x0a0100
if {  $code != "0a0100" } {
if {  $code == "0a0131" } {
ace_debug " probe failed : expect response code \'0a0100\' but received
\'$code\' = invalidCredentials"
} else {
ace_debug " probe failed : expect response code \'0a0100\' but received
\'$code\'"
}
exit 30002
}

## make probe success by exit with 30001
ace_debug "probe success"
exit 30001

Labels:
85833-LDAP_PROBE.zip
85823-ADV_LDAP_PROBE_MODIFIED.zip
0 Helpful
3 Replies 3

ciscocsoc
Level 4
Level 4

‎05-05-2011 01:25 AM

Hi,

Looks OK - if a little complicated.  If you look through the archives of this group you'll see a number of threads on writing LDAP scripts with credentials and I posted a short perl script to generate the bind string.  Once you've created the new bind string then the important modification to the script is the one you have already made - to look for the return code later in the bindresponse:

binary scan $line @15H6 code

This is because MS AD uses length-of-length ASN.1 encoding.

HTH

Cathy

0 Helpful

slambe
Level 1
Level 1

‎05-23-2011 03:30 PM

See Contex

t Configuration example:

ACE/4710 Configuration statements

!

script file name defaultldap.tcl

!

probe scripted LDAP_PROBE

description Interactive LDAP Query Probe

port 389

interval 15

passdetect interval 15

receive 5

script defaultldap.tcl cn=,cn=roles,cn=,dc=,dc=

#Note, no spaces in the above line!

!

#!name = ADV_LDAP_PROBE

We have successfully tested this into multiple Contextx w/ Great Success.  I will admit that I did not figure this out, but fellow team members did!

19 KB
0 Helpful

slambe
Level 1
Level 1
In response to slambe

‎07-12-2011 12:37 PM

Would like to add the following modified script for OpenLDAPv3 for Health Probes.  See comments in text-header comments for specific modifications.  This script was validated using a Debian distro, OpenLDAP v3, sldapd debug indicated where to look for the specific sections response to modify this script.  Many thanks to my team-mates that spent the man-hours to determine exactly what was needed.

103114-OpenLDAPv3.tcl.zip
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents