cisco ace loadbalancer A2(2.4) advanced ldap probe

ADV_LDAP_PROBE.tcl

#!name = ADV_LDAP_PROBE
########################################################################################
#### > user for linux tclsh !/usr/bin/tclsh8.4
# changes to cisco's original probe
# * username and password with ldap simple bind (dynamically generated packets)
# * unable to connect exception handling
# * debug message for invalidCredentials
#-------------------------------------------
# debug procedure
# set the EXIT_MSG environment variable to help debug
# also print the debug message when debug flag is on
#-------------------------------------------

proc ace_debug { msg } { 
    global debug ip port EXIT_MSG

    set EXIT_MSG $msg
    if { [ info exists ip ] && [ info exists port ] } { 
        set EXIT_MSG "[ info script ]:$ip:$port: $EXIT_MSG "
    }  
    if { [ info exists debug ] && $debug } { 
        puts $EXIT_MSG
    } 
} 

#-------------------------------------------
# main 
#-------------------------------------------

# parse cmd line args and initialize variables
## set debug value
set debug 1
if { [ regsub -nocase "DEBUG" $argv "" argv] } {
    set debug 1 
} 

ace_debug "initializing variable"
set EXIT_MSG "Error config:  script ADV_LDAP_PROBE \[DEBUG\]"


set ip $scriptprobe_env(realIP) 
set port "0"

set ldap_start "30"
set ldap_bindheader "02010160"
set ldap_bind "0201"
set ldap_version "02"
set ldap_gap1 "04"
set ldap_gap2 "80"

set ldap_bindheader_len 5
set base_len 0c

set ldap_simple_auth "8007"

proc toASCII { char } {
   scan $char %c value
   return [format %-x $value]
}


set username [ lindex $argv 0 ]
set hexusername ""

set password [ lindex $argv 1 ]
set hexpassword ""


foreach char [split $username ""] {
     set hexchar [toASCII $char]
     append hexusername $hexchar
}

foreach char [split $password ""] {
     set hexchar [toASCII $char]
     append hexpassword $hexchar
}

set username_len [string length $username]
ace_debug $username_len

set password_len [string length $password]
ace_debug $password_len

set base_len [expr 0x$base_len]

set seq_len [expr $username_len + $password_len + $base_len]

set sub_seq_len [expr $seq_len - $ldap_bindheader_len]
set seq_len [format %02x $seq_len]
set sub_seq_len [format %02x $sub_seq_len]




set hexldapbindpckt ""
append hexldapbindpckt $ldap_start
append hexldapbindpckt "$seq_len"
append hexldapbindpckt $ldap_bindheader
append hexldapbindpckt $sub_seq_len
append hexldapbindpckt $ldap_bind
append hexldapbindpckt $ldap_version
append hexldapbindpckt $ldap_gap1
append hexldapbindpckt [format %02x $username_len]
append hexldapbindpckt $hexusername
append hexldapbindpckt $ldap_gap2
append hexldapbindpckt [format %02x $password_len]
append hexldapbindpckt $hexpassword

# if port is zero the use well known ldap port 389
if { $port == 0 } { 
    set port 389
}  
#ace_debug $hexldapbindpckt

#####################
# PROBE START
#####################

set errorcode [catch {
        set sock [ socket $ip $port ]
} msg ]
if {$errorcode != 0} {
        ace_debug $msg
        exit 30002
}

fconfigure $sock -buffering line -translation binary

# anonymous bind request
#puts -nonewline $sock [ binary format "H*" 300c020101600702010304008000 ]


puts -nonewline $sock [ binary format "H*" $hexldapbindpckt ]

set code "ffffff"

flush $sock
ace_debug "bef"
set line [read $sock 22]
ace_debug "aft"
binary scan $line H* res
binary scan $line @15H6 code
close $sock

#  make probe fail by exit with 30002 if ldap reply code != success code  0x0a0100
if {  $code != "0a0100" } { 
    if {  $code == "0a0131" } {
        ace_debug " probe failed : expect response code \'0a0100\' but received \'$code\' = invalidCredentials"
    } else {
        ace_debug " probe failed : expect response code \'0a0100\' but received \'$code\'"
    }
    exit 30002
} 

## make probe success by exit with 30001
ace_debug "probe success"
exit 30001