Forum Discussion
NimbostratusAPM Advanced USer Query
Hi Guys,
I am configuring an APM cluster for Citrix access on published desktops and i would like to achieve the follwoing:
- User authenticates and based on his/her AD group membership a Citrix Smartaccess filter is set and then the user will be dropped to the respective pubflished desktop as a full resource assign.
- Also if the user is member of 2 or more groups then based on that more citrix smartaccess filters will be set and then the user will get access to more published desktops.
The issue here is that i am missing a kind of "case like" statement that allows me to check the user group membership in more than one group and map using citrx access filter the user in the proper resource group. This kind of implementation was existing in the Firepass in the so called "dynamic group mapping" where there was a mapping table in between external AD group and internal resource group. If the user was part of more external groups then the user got access to more resource group.
Do you have any idea how i can implement this on APM ?
Many Thanx,
9 Replies
walou12_113339+ 1 on this question, I'm looking for a similar solution
Seth_CooperEmployee
HI, I do this with Network Resources... to do it you need to add a "Full Resource Assign" in the VPN. Click "Add new entry" in the expresson you can configure a "AD Query", "User is a member of" and then add your group name. You will then click "Add/Delete" to add the resources that map to that group. Just keep adding more entires for all the groups you need to map.
Please let me know if this helps...
Seth- Kevin_StewartThere are probably a few different ways to do this, but here's my interpretation.
1. Create a data group (ex. "citrix_sa_datagroup") that consists of the memberOf value (string trimmed) and the smartaccess filter for that membership.
Ex.
CN=TEST1_GROUP,CN=Users,DC=MYDOMAIN2K3,DC=COM := FOO
CN=TEST2_GROUP,CN=Users,DC=MYDOMAIN2K3,DC=COM := BAR
CN=TEST3_GROUP,CN=Users,DC=MYDOMAIN2K3,DC=COM := TEST
2. Create an Access policy that performs an AD query. If the user is a member of multiple groups it'll show up as a session value (session.ad.last.attr.memberOf) - a list of AD memberships separated by "pipe" delimeters.
Ex.
session.ad.last.attr.memberOf = | CN=TEST3_GROUP,CN=Users,DC=MYDOMAIN2K3,DC=COM | CN=TEST2_GROUP,CN=Users,DC=MYDOMAIN2K3,DC=COM | CN=TEST1_GROUP,CN=Users,DC=MYDOMAIN2K3,DC=COM | CN=Domain Users,CN=Users,DC=MYDOMAIN2K3,DC=COM | CN=Users,CN=Builtin,DC=MYDOMAIN2K3,DC=COM |
3. At the end of the access policy evaluation, in the VPE, and after the AD query, insert an iRule event agent and give it a unique ID (ex. "QUERYPROC").
4. Create an iRule that parses and loops through this list and dynamically creates the smartaccess filter value.when ACCESS_POLICY_AGENT_EVENT { set smartaccess "" if { [ACCESS::policy agent_id] equals "QUERYPROC" } { set memberOfList [split [ACCESS::session data get session.ad.last.attr.memberOf] "|"] foreach x $memberOfList { if { [class match [string trim $x] equals citrix_sa_datagroup] } { append smartaccess [class match -value [string trim $x] equals citrix_sa_datagroup] } } if { $smartaccess ne "" } { ACCESS::session data set session.citrix.smart_access $smartaccess } } }
This should produce the same value that the smartaccess agent produces in the VPE. I haven't tested this against a Citrix environment yet, so your mileage may vary. The above also won't work if the user is a member of only one group (the primary group). If that's a possibility in your environment, you can also filter on the session.ad.last.attr.primarygroupID or session.ad.last.attr.primarygroup.dn values. 
Constantin123_1Dear Kevin,
I would say that this would be an elegant and beautifull way to solve the issue.I tried but it does not work from the first shot which is quite understandible but i think this is the way of doing it :)))
The first thing i have seen is that the "session.citrix.smart_access" value is not a string, it is rather an XML value
for ex: FOO
Therefore i have changed the datagroup to reflect this like that:
CN=TEST1_GROUP,CN=Users,DC=MYDOMAIN2K3,DC=COM := FOO
The only thing though is that i am not seeing the iRule to kick in as i watch the session variables and the value "session.citrix.smart_access" is actually missing. My assumption to that is that the iRule does not kick in. How can i caheck whether the iRule is kicking .
Best Regards,
Constantin
- Constantin123_1The datagroup would be:
CN=TEST1_GROUP,CN=Users,DC=MYDOMAIN2K3,DC=COM := FOO - Constantin123_1strange...i can not really post how the datagroup would be but i will try with quotes
CN=TEST1_GROUP,CN=Users,DC=MYDOMAIN2K3,DC=COM := FOO - Constantin123_1I hope this time post is correct
"CN=TEST1_GROUP,CN=Users,DC=MYDOMAIN2K3,DC=COM := < SessionContextEntry name="Citrix.Condition">FOO" - Kevin_Stewartit is rather an XML value
You're absolutely right. Not sure why I didn't include the XML in the examples above.
If you've applied the iRule to the virtual server and you have the iRule event agent in the VPE of the access policy, which is also applied to the virtual server, then the iRule above is looking for an event agent ID of "QUERYPROC". When you create the iRules event agent in the VPE, make sure the ID in that agent is in the iRule:if { [ACCESS::policy agent_id] equals "QUERYPROC" } { ... }
You don't technically have to do it this way, but it's good form and also allows you to have iRules logic applied at different points in the access policy evaluation. - Constantin123_1Right, that was the thing...to attach it to the VS and to modify the datagroup with the real xml parameters that Citrix should expect.
It works beautifully. You are a genius Kevin. Many Thanx.
