APM Access Policy - Pass LDAP or AD Query variable

Question

Is it possible to query whether a user has a value for one or another variable then use that to pass or fail passage down the rest of the swimlane for access? (e.g.- expr {[mcget {session.ad.session.ad.last.attr.variable1}] != 0 || [mcget {session.ad.session.ad.last.attr.variable2}] != 0} where the two variables are numbers or a non-constant string, but do have a value...and are not "<not set>".

Is it also possible to have another path where the lack of a value for the expr {[mcget {session.ad.session.ad.last.attr.variable1}] == 0, can be sent to a uri or url?

Any assistance would be greatly appreciated!

lucas_thompson · Answer

Yep "||" works like that. For most cases, you can use "tclsh" on the BIG-IP command line to test small snippets like this (it doesn't support things like "contains" or "mcget" though, you have to substitute in your values there), for example:

&nbsp;
&nbsp;
&nbsp;

leslie_hubertus · Answer

Lucas_Thompson&nbsp;may be able to help with this one.&nbsp;

lucas_thompson · Answer

Sorry for the confusion, no I was suggesting to use tclsh to check TCL syntax itself, such as how to use expr and combine logical operators and test precedence, such as how || and &amp;&amp; relate, etc. tclsh is not used by the data plane in BIG-IP at all. BIG-IP has two TCL interpreters in the data-plane, one is built into TMM (used for irules and per-request policy evaluation) and one is built into APMD (used for per-session policy evaluation such as branch rules and variable assignments).
Basically in VPE in APM, you have two things in each policy-item: Agents and branch rules. The agent runs (AD query or whatever) then fills in the session variables for that agent. After the agent execution, the branch rules are evaluated one-by-one. If one of the branch rules evaluates to True, then it policy execution follows that branch to the next-item in the flowchart. If none of the branch rules evaluate to True, then policy execution follows the Fallback branch.
To see what session variables are set by the agent in the policy-item that you can use for "[mcget xxxxxx]", set the logging to Informational level in the "Access Policy" setting:

So the complex part is mostly just how to construct the TCL to put into the branch rules. VPE has a feature called "expression builder" that lets you construct many of these common ones easily. In the GUI this is called a "simple" expression. You can do something like this as a "this group or that group" kind of selection:

Clicking Finished results in a branch rule that looks like this:

You can then go and examine the actual TCL that the expression builder constructs by clicking "change", then "advanced":

Of course you'll need to modify the LDAP DN to match whatever your AD controller sends back from the query, either a full DN or a substring. You can see it uses "contains" so it can be a partial match too.
&nbsp;
&nbsp;
&nbsp;
&nbsp;
&nbsp;

lucas_thompson · Answer

If you get a log that the variable is not found, then the AD Query agent must not have created it. The LDAP Search performed by AD Query includes a default attribute filter that you can adjust or remove. By default only these "Required Attributes" are returned by the search:

So if you need additional attributes than these, you can add them.

jamie_staples · Answer

Someone suggested this:&nbsp;https://community.f5.com/t5/technical-forum/apm-session-attribute-exists/td-p/260927and that mostly works for me....but does the same logic still work if it's either of the variables that are true, i.e.expr {[mcget {session.ad.session.ad.last.attr.variable1}] != "" || [mcget {session.ad.session.ad.last.attr.variable2}] != ""}?

Forum Discussion

APM Access Policy - Pass LDAP or AD Query variable

9 Replies

F5 Academy at AppWorld 2026

Introducing the F5 AI Assistant for BIG-IP

Recent Discussions

How can I get started with iCall

Connection Rest f5

Kubernetes cert-manager + LetsEncrypt + F5

The GSLB pool is providing an incorrect IP to end users

Unable to ping from some self ip on Velos

Related Content

APM-DHCP Access Policy Example and Detailed Instructions

F5 BIG-IP Access Policy Manager (APM) - Google Authenticator and Microsoft Authenticator

F5 BIG-IP Access Policy Manager (APM) Machine Tunnels for Windows

Federated AWS Console Access Made Easy: F5 BIG-IP Access Policy Manager Access Guided Configurations

APM variable assign examples

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS