Forum Discussion

Peter_Baumann's avatar
Peter_Baumann
Icon for Cirrostratus rankCirrostratus
Oct 30, 2013

APM LDAP Query for Group Member?

Hi all, Since we're using a standard LDAP Server with DN of ou=People and ou=Groups I try to get with a LDAP Query the Group Membership of a specific user. The Group entry in the LDAP is of objectClass "GroupOfNames" and has a member Attribute. It seems that with the standard LDAP Query Box in the Branch Rules I can select "User is a mamber of" but this seems only to support the AD memberOf attribute to search for. So is it that the LDAP Query Box is built only for querying AD with LDAP?

 

I'm looking now for the possibility to get the Group Membership of a generic LDAP with the above objectClass of the "GroupOfNames".

 

Any hints or examples howto get this with an APM Policy?

 

Many thanks

 

Best regards, Peter

 

  • Hi Peter,

     

    First of all, which release is your BIGIP ? On 11.4, there a very easy way to do that. You can use the box "LDAP group assign".

     

    Prior to 11.4, you need to do a standard LDAP query to get the attributs, and add a Full ressource assign box which check this value. It is a APM variable.

     

    Let me know. Matt

     

  • Yes, here you are.

     

    First, make a full query, in order to check if attribute is saved :

    2nd, make a full resource assign with an expression (you can use "contains" "==" "ends_with"...) :

     

    Example of a complete "full resource assign"

     

    You can check your variables in Access Policy > Reports. Have a look into ldap.last.attr.

     

    Hope this help.

     

  • Cool!

    Many thanks!

    Thanks to your example I found now a way to figure out member of Groups:

     

    First I'm doing a query to get the user DN over a uid query:

     

    And then with the second query I'm checking with the %{session.ldap.last.attr.dn} the Group:

     

    After this I do a Full Resource Assign you mentioned.

     

    Thanks for your help!

    Best regards,

    Peter

     

  • For the images, the work around is copy "/Portals.......png" paste it into a browser but place https://devcentral.f5.com in front of it. Should look something like https://devcentral.f5.com/Portals......png