Forum Discussion

Rene_C_'s avatar
Rene_C_
Icon for Nimbostratus rankNimbostratus
May 05, 2014

APM LDAP Query with user-dn

Hi,

i got a very strange case that i'm trying to resolve.

My Setup is as follows: APM Policy with LDAP Query for some User Attributes (this one works correct): - Base: ou=Identities,o=MyCompany - Filter: (usershortname=%{session.logon.last.username}) Additional LDAP Query after the first one to check if a certain field in the groups the user is member of matches a given String. Actually, what i want here is to retrieve all groups the user is a member of get a specific attribute of these groups: - Base: ou=Systems,o=MyCompany - Filter=(&(objectClass=groupOfNames)(member=%{session.ldap.last.attr.dn}))

The second LDAP Query does fail all the time, and i simply dont know why. From the apm-log i see that the query-filter is filled correctly:

: 3e0406ea: LDAP agent: Query: query failed, dn: ou=Systems,o= MyCompany, filter: (&(objectClass=groupOfNames)(member=cn=myusercn,ou=People,ou=Identities,o=MyCompany))

And later it tells me:

3e0406ea: Session variable 'session.ldap./Common/myvhost_act_ldap_query_1_ag.errmsg' set to 'No such object, no matching users found'

Even if i paste the filter into my ldap-client, it resolves correctly and returns the desired result.

So, anyone got a hint for me here? Could it be that some internal encoding takes place which somehow scrambles the dn i insert for the member-filter?

Thanks in advance, Rene

  • I just tested this in 11.5 and didn't see anything specifically wrong with it. It may be worthwhile to test this from the command line on the F5 using the ldapsearch command:

    Query the user:

    ldapsearch -H ldap://x.x.x.x:389 -x -b ou=Identities,o=MyCompany -D administrator@mycompany.com -w 'password' '(usershortname=bill.user)'
    

    Query the group membership info:

    ldapsearch -H ldap://x.x.x.x:389 -x -b ou=Systems,o= MyCompany -D administrator@mycompany.com -w 'password' '(&(objectClass=groupOfNames)(member=cn=myusercn,ou=People,ou=Identities,o=MyCompany))'
    
  • Thanks Kevin, i was not aware (or better, didnt think about it) that ldapsearch is available through the commandline; This way i found out, that my Bind-User for LDAP does simply not have the permissions to query the memberOf-Attribute of the Groups.

     

    Thanks for the heads-up!

     

    Cheers, Rene