Forum Discussion

Nova_201357's avatar
Nova_201357
Icon for Nimbostratus rankNimbostratus
Mar 28, 2016

APM Dynamic ACL assignment from AD

Greetings! I had a static ACL applied to a Network Access Resource. In testing static assignment, it worked fine. So I took the same logic and formatted as a F5 ACL, put it in AD, in the test acc...
BIG-IP Access Policy Manager (APM)
dynamic acl
security
Nova_201357's avatar
Nova_201357
Icon for Nimbostratus rankNimbostratus
Mar 28, 2016

Hey there,

 

So for anyone who tried this, Brad is right. The ACL must be a single string with all the ACEs concatenated together. In my case, I had to clear out the AD attribute and paste the properly formatted ACL for it to work.

 

Thanks for the tips Brad!

 

BTW, F5 should consider documenting things like that!

 

Cheers, Mike

 

  • Lucas_Thompson_'s avatar
    Lucas_Thompson_
    Historic F5 Account
    Mar 28, 2016
    Where do you think the best place would be to document it? This question comes up sometimes when people put characters like CRLF, or other things that don't translate well to session variables which are plain one-line ascii. In that case, it's auto-transformed to hex encoding.
  • Walter_Kacynsk1's avatar
    Walter_Kacynsk1
    Icon for Nimbostratus rankNimbostratus
    Mar 29, 2016
    I would settle on the fact to document how Dynamic ACLs should be represented in AD/LDAP within the product documentation. Information on these are scarce to say the least. However their power is great in that group management is already externalized, so it would make sense to pair the ACLs with the group assignments.
  • Nova_201357's avatar
    Nova_201357
    Icon for Nimbostratus rankNimbostratus
    Mar 30, 2016
    I'd update this: https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-implementations-11-5-0/2.htmlconceptid Just add a caveat or a link to a sol doc that goes into greater detail. Thanks, Mike