Forum Discussion
Sheigh_65772
Cirrus
Cirrus11.5.1 to 11.6.0 HF 4 - APM - Failing Active Directory Query
In moving from 11.5.1 to 11.6.0 HF4 I've come to find that my APM Active Directory query has broken. The SearchFilter I'm creating is based upon the Subject of a client PKI certificate which is then ...
Sheigh_65772Cirrus
CirrusHere's my irule:
if {[ACCESS::policy agent_id] == "ldapsrchstr"} {
set lcu_ldapsearch_userCert "(&"
if { [info exists user_key_apm] and [table lookup -subtable $client_table $user_key_apm] != "" } {
set lcu_list [split [lindex [table lookup -subtable $client_table $user_key_apm] 2] ","]
foreach lcu_list_item $lcu_list {
append lcu_ldapsearch_userCert "(userCertificate=*" $lcu_list_item "*)"
}
append lcu_ldapsearch_userCert "(objectClass=user)(objectCategory=person))"
set lcu_ldapsearch_userCert [string map [list *OU= * *C= * *CN= * *O= *] $lcu_ldapsearch_userCert]
ACCESS::session data set session.custom.ldapsearchuserCert $lcu_ldapsearch_userCert
log local0. "trimmed newmethod ldapsrchstr apm session lcu_ldapsearch_userCert [ACCESS::session data get session.custom.ldapsearchuserCert]"
}
ltm log
May 10 11:19:04 bigip info tmm[19795]: Rule /Common/ldap_cert_use : trimmed newmethod ldapsrchstr apm session lcu_ldapsearch_userCert (&(userCertificate=*cn-value1*)(userCertificate=*ou-value1*)(userCertificate=*ou-value2*)(userCertificate=*ou-value3*)(userCertificate=*o-value1*)(userCertificate=*c-value1*)(objectClass=user)(objectCategory=person))
apm log
May 10 11:19:03 bigip notice tmm3[19796]: 01490544:5: eca9c6fa: Received client info - Type: IE Version: 10 Platform: Win7 CPU: WOW64 UI Mode: Full Javascript Support: 1 ActiveX Support: 1 Plugin Support: 0
May 10 11:19:03 bigip notice tmm3[19796]: 01490500:5: eca9c6fa: New session from client IP {clientip} (ST=/CC=/C=) at VIP {vip} Listener /Common/citrix_iapp.app/citrix_iapp_webui (Reputation=Unknown)
May 10 11:19:08 bigip err apd[13568]: 01490107:3: eca9c6fa: AD module: query with '\28&\28userCertificate=\2acn-value1\2a\29\28userCertificate=\2aou-value1\2a\29\28userCertificate=\2aou-value2\2a\29\28userCertificate=\2aou-value3\2a\29\28userCertificate=\2ao-value1\2a\29\28userCertificate=\2ac-value1\2a\29\28objectClass=user\29\28objectCategory=person\29\29' failed: Bad search filter, base: dc=my,dc=domain,dc=com, scope: 2, filter: \28&\28userCertificate=\2acn-value1\2a\29\28userCertificate=\2aou-value1\2a\29\28userCertificate=\2aou-value2\2a\29\28userCertificate=\2aou-value3\2a\29\28userCertificate=\2ao-value1\2a\29\28userCertificate=\2ac-value1\2a\29\28objectClass=user\29\28objectCategory=person\29\29 (-7)
- Sheigh_65772Missed a closing } when I copied the irule over but its there
