Forum Discussion
APM Access Policy - Pass LDAP or AD Query variable
Someone suggested this: https://community.f5.com/t5/technical-forum/apm-session-attribute-exists/td-p/260927
and that mostly works for me....but does the same logic still work if it's either of the variables that are true, i.e.
expr {[mcget {session.ad.session.ad.last.attr.variable1}] != "" || [mcget {session.ad.session.ad.last.attr.variable2}] != ""}
?
- Lucas_ThompsonJan 24, 2023Employee
Yep "||" works like that. For most cases, you can use "tclsh" on the BIG-IP command line to test small snippets like this (it doesn't support things like "contains" or "mcget" though, you have to substitute in your values there), for example:
- jamie_staplesJan 25, 2023Cirrus
Can tclsh be used as APM AD Query in VPE? It would use the logic like if this variable/attribue has a value or this other variable/attribute has a value, proceed down this path.
If it doesn't, what would? An iRule? And what would the iRule have to look like?
Sorry for so many questions...Thanks!
- Lucas_ThompsonJan 25, 2023Employee
Sorry for the confusion, no I was suggesting to use tclsh to check TCL syntax itself, such as how to use expr and combine logical operators and test precedence, such as how || and && relate, etc. tclsh is not used by the data plane in BIG-IP at all. BIG-IP has two TCL interpreters in the data-plane, one is built into TMM (used for irules and per-request policy evaluation) and one is built into APMD (used for per-session policy evaluation such as branch rules and variable assignments).
Basically in VPE in APM, you have two things in each policy-item: Agents and branch rules. The agent runs (AD query or whatever) then fills in the session variables for that agent. After the agent execution, the branch rules are evaluated one-by-one. If one of the branch rules evaluates to True, then it policy execution follows that branch to the next-item in the flowchart. If none of the branch rules evaluate to True, then policy execution follows the Fallback branch.
To see what session variables are set by the agent in the policy-item that you can use for "[mcget xxxxxx]", set the logging to Informational level in the "Access Policy" setting:
So the complex part is mostly just how to construct the TCL to put into the branch rules. VPE has a feature called "expression builder" that lets you construct many of these common ones easily. In the GUI this is called a "simple" expression. You can do something like this as a "this group or that group" kind of selection:
Clicking Finished results in a branch rule that looks like this:
You can then go and examine the actual TCL that the expression builder constructs by clicking "change", then "advanced":
Of course you'll need to modify the LDAP DN to match whatever your AD controller sends back from the query, either a full DN or a substring. You can see it uses "contains" so it can be a partial match too.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com