Forum Discussion

jamie_staples's avatar
Jan 23, 2023

APM Access Policy - Pass LDAP or AD Query variable

Is it possible to query whether a user has a value for one or another variable then use that to pass or fail passage down the rest of the swimlane for access? (e.g.- expr {[mcget {session.ad.session.ad.last.attr.variable1}] != 0 || [mcget {session.ad.session.ad.last.attr.variable2}] != 0} where the two variables are numbers or a non-constant string, but do have a value...and are not "<not set>".

Is it also possible to have another path where the lack of a value for the expr {[mcget {session.ad.session.ad.last.attr.variable1}] == 0, can be sent to a uri or url?

Any assistance would be greatly appreciated!

    • Lucas_Thompson's avatar
      Lucas_Thompson
      Icon for Employee rankEmployee

      Yep "||" works like that. For most cases, you can use "tclsh" on the BIG-IP command line to test small snippets like this (it doesn't support things like "contains" or "mcget" though, you have to substitute in your values there), for example:

       

       

       

      • jamie_staples's avatar
        jamie_staples
        Icon for Cirrus rankCirrus

        Can tclsh be used as APM AD Query in VPE?  It would use the logic like if this variable/attribue has a value or this other variable/attribute has a value, proceed down this path.

        If it doesn't, what would?  An iRule?  And what would the iRule have to look like?

        Sorry for so many questions...Thanks!