Forum Discussion

Dietmar_Moltner's avatar
Dietmar_Moltner
Icon for Nimbostratus rankNimbostratus
Sep 30, 2013

APM access::session question

Hi all,

 

I am currently creating an APM policy (we are using 11.3) which uses a LDAP query to read several attributes from the authenticated user into the session variables "session.ldap.last.attr.xxx" (Example: the shortname of the user from Ldap is stored as "session.ldap.last.attr.shortname"). Is there any chance to read all attributes being located under "session.ldap.last.attr"? It would be perfect if I could read all "keys" under session.ldap.last.attr so that I can access the different Ldap attributes from iRules dynamically.

 

Any ideas on that?

 

Thx in advance for your support

 

application delivery
BIG-IP Access Policy Manager (APM)
devops
iRules
security

4 Replies

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Sep 30, 2013

    Unfortunately, the APM session table doesn't expose its elements like a collection or list, so you must address variables explicitly.

     

  • Dietmar_Moltner's avatar
    Dietmar_Moltner
    Icon for Nimbostratus rankNimbostratus
    Oct 14, 2013

    Kevin,

     

    thx for your fast response. Maybe there is another way to achieve tha goal: my intention is to add the related LDAP attributes within the policy (AD query) and find this set of LDAP attributes in the session to inject it in the traffic to the backend as headers. Idea is to set the list of LDAP attributes only at one point in the policy so that the solution is dynamic i.e. I do not want to hardcode the attribute names also within the irule

     

    Any further ideas on that?

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Oct 14, 2013

    That isn't going to be easy. The APM session table is neither a list nor an array, and cannot be queried for "all matching values". The LDAP attributes will fill the table upon a successful query and will be available, by name, from that point forward.

    That said, you could technically create a list object beforehand of all the LDAP objects that you care about, then cycle through them. Example:

    when ACCESS_ACL_ALLOWED {
    set ldaplist [list "cn" "sn" "description" "whenCreated" "whenChanged" "displayName" "name" "objectGUID" "lastLogoff" "lastLogon" "primaryGroupID" "objectSid" "sAMAccountName" "userPrincipalName"]

    foreach x $ldaplist {
        HTTP::header insert $x [ACCESS::session data get session.ldap.last.attr.$x]
    }
}