Forum Discussion
APM Access Policy - Pass LDAP or AD Query variable
Is it possible to query whether a user has a value for one or another variable then use that to pass or fail passage down the rest of the swimlane for access? (e.g.- expr {[mcget {session.ad.session.ad.last.attr.variable1}] != 0 || [mcget {session.ad.session.ad.last.attr.variable2}] != 0} where the two variables are numbers or a non-constant string, but do have a value...and are not "<not set>".
Is it also possible to have another path where the lack of a value for the expr {[mcget {session.ad.session.ad.last.attr.variable1}] == 0, can be sent to a uri or url?
Any assistance would be greatly appreciated!
- Leslie_HubertusRet. Employee
Lucas_Thompson may be able to help with this one.
Someone suggested this: https://community.f5.com/t5/technical-forum/apm-session-attribute-exists/td-p/260927
and that mostly works for me....but does the same logic still work if it's either of the variables that are true, i.e.
expr {[mcget {session.ad.session.ad.last.attr.variable1}] != "" || [mcget {session.ad.session.ad.last.attr.variable2}] != ""}
?
- Lucas_ThompsonEmployee
Yep "||" works like that. For most cases, you can use "tclsh" on the BIG-IP command line to test small snippets like this (it doesn't support things like "contains" or "mcget" though, you have to substitute in your values there), for example:
Can tclsh be used as APM AD Query in VPE? It would use the logic like if this variable/attribue has a value or this other variable/attribute has a value, proceed down this path.
If it doesn't, what would? An iRule? And what would the iRule have to look like?
Sorry for so many questions...Thanks!
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com