APM Access Policy - Pass LDAP or AD Query variable

Question

Is it possible to query whether a user has a value for one or another variable then use that to pass or fail passage down the rest of the swimlane for access? (e.g.- expr {[mcget {session.ad.session.ad.last.attr.variable1}] != 0 || [mcget {session.ad.session.ad.last.attr.variable2}] != 0} where the two variables are numbers or a non-constant string, but do have a value...and are not "<not set>".

Is it also possible to have another path where the lack of a value for the expr {[mcget {session.ad.session.ad.last.attr.variable1}] == 0, can be sent to a uri or url?

Any assistance would be greatly appreciated!

lucas_thompson · Answer

Yep "||" works like that. For most cases, you can use "tclsh" on the BIG-IP command line to test small snippets like this (it doesn't support things like "contains" or "mcget" though, you have to substitute in your values there), for example:

&nbsp;
&nbsp;
&nbsp;

leslie_hubertus · Answer

Lucas_Thompson&nbsp;may be able to help with this one.&nbsp;

lucas_thompson · Answer

Sorry for the confusion, no I was suggesting to use tclsh to check TCL syntax itself, such as how to use expr and combine logical operators and test precedence, such as how || and &amp;&amp; relate, etc. tclsh is not used by the data plane in BIG-IP at all. BIG-IP has two TCL interpreters in the data-plane, one is built into TMM (used for irules and per-request policy evaluation) and one is built into APMD (used for per-session policy evaluation such as branch rules and variable assignments).
Basically in VPE in APM, you have two things in each policy-item: Agents and branch rules. The agent runs (AD query or whatever) then fills in the session variables for that agent. After the agent execution, the branch rules are evaluated one-by-one. If one of the branch rules evaluates to True, then it policy execution follows that branch to the next-item in the flowchart. If none of the branch rules evaluate to True, then policy execution follows the Fallback branch.
To see what session variables are set by the agent in the policy-item that you can use for "[mcget xxxxxx]", set the logging to Informational level in the "Access Policy" setting:

So the complex part is mostly just how to construct the TCL to put into the branch rules. VPE has a feature called "expression builder" that lets you construct many of these common ones easily. In the GUI this is called a "simple" expression. You can do something like this as a "this group or that group" kind of selection:

Clicking Finished results in a branch rule that looks like this:

You can then go and examine the actual TCL that the expression builder constructs by clicking "change", then "advanced":

Of course you'll need to modify the LDAP DN to match whatever your AD controller sends back from the query, either a full DN or a substring. You can see it uses "contains" so it can be a partial match too.
&nbsp;
&nbsp;
&nbsp;
&nbsp;
&nbsp;

lucas_thompson · Answer

If you get a log that the variable is not found, then the AD Query agent must not have created it. The LDAP Search performed by AD Query includes a default attribute filter that you can adjust or remove. By default only these "Required Attributes" are returned by the search:

So if you need additional attributes than these, you can add them.

jamie_staples · Answer

Someone suggested this:&nbsp;https://community.f5.com/t5/technical-forum/apm-session-attribute-exists/td-p/260927and that mostly works for me....but does the same logic still work if it's either of the variables that are true, i.e.expr {[mcget {session.ad.session.ad.last.attr.variable1}] != "" || [mcget {session.ad.session.ad.last.attr.variable2}] != ""}?

Forum Discussion

APM Access Policy - Pass LDAP or AD Query variable

Recent Discussions

Can you set Kerberos AAA server via session variable?

HTML Code injection Not detected by ASM

What will be happen to live and existing connections when failover HA BIG IP active-standby

SSL Offload and remove FQDN

High CPU utilization (100%).

Related Content

Federated AWS Console Access Made Easy: F5 BIG-IP Access Policy Manager Access Guided Configurations

Reviewing vulnerability scanner results for an Access Policy Manager (APM) protected Virtual Server

Harnessing the power of F5 BIG-IP Access Policy Manager (APM) and Microsoft

F5 BIG-IP Access Policy Manager (APM) Identity-based steering with SSL Orchestrator (SSLO)

Auditing Security Policy Updates

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS