For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

jklemm2000's avatar
jklemm2000
Icon for Nimbostratus rankNimbostratus
Apr 03, 2019

APM variable Assign Convert from HEX to original Format

I am doing an LDAP query which polls ldap for user attributes and I want to take the objectSid attribute and insert it in a header upon policy completion. The issue I am running into is the applicat...
application delivery
BIG-IP Access Policy Manager (APM)
Stanislas_Piro2's avatar
Stanislas_Piro2
Icon for Cumulonimbus rankCumulonimbus
Jan 30, 2020

Hi,

 

You can try this decoding code (you did not convert hex to unsigned integer in revision, countSubAuths and authority)

# Sample binary SID
set attr_objectSid 0x01050000000000050d000000653937086239386436083764370866383205016506630238060000
#set attr_objectSid [mcget {session.ldap.last.attr.objectSid}] 
 
 if { [string range $attr_objectSid 0 1 ] == "0x" } { 
     set objectSid [binary format H* [string range $attr_objectSid 2 end]]
 
    # Exctract static data
    # - Revision (1 byte --> c )
    # - countSubAuths (1 byte --> c )
    # - authorityhex (48 bits Big Indian --> H12 ; binary scan only supports 1/2/4/8 bytes so a converstion to Hex is required)
 
    binary scan $objectSid ccH12 revision countSubAuths authorityhex
    # Convert signed values to unsigned
    set revision [expr {$revision & 0xff}]
    set countSubAuths [expr {$countSubAuths & 0xff}]
    # Convert authorityhex to unsigned Integer
    scan $authorityhex {%x} authority
 
    # Extract Sub authorities
    # - subauth : List of Sub authorities (4 bytes Little Indian --> i )
    binary scan $objectSid @8i${countSubAuths} subauth
 
    # Build a list of SID Elements
    set result [list "S" $revision $authority]
    foreach val $subauth {
        # Insert each Sub authority value as unsigned value
        lappend result [expr {$val & 0xffffffff}]
    }
    # Return joined SID Elements list with dash separator
    puts [join $result "-"]
    #return [join $result "-"]
 }

 

  • ebeng's avatar
    ebeng
    Icon for Nimbostratus rankNimbostratus
    Feb 24, 2022

    Hi mate, 

    can you check your code, it seems to be all pasted in one line now, cant get it to work 😞

    What about if we need to have the ObjectGUID as well? 

    when we need to convert the base64, which the F5-retrieves, with an LDAP-search we do the following:

    echo <<>>|base64 -d -i|hexdump -e  '1/1 " %02x"'|awk '{print $4$3$2$1"-"$6$5"-"$8$7"-"$9$10"-"$11$12$13$14$15$16}'

    Any how we can do this? within the APM policy?

    I would like to get the ObjectGUID, as shown in the AD, to use it in the APM. 

    any help would be appreciated. 

    • BarrettK's avatar
      BarrettK
      Icon for Nimbostratus rankNimbostratus
      Mar 05, 2024

      Hi ebeng, did you happen to get this one figured out? I'm also needing to use the ObjectGUID in APM as a string to send it in a SAML assertion.

      • ebeng's avatar
        ebeng
        Icon for Nimbostratus rankNimbostratus
        Mar 08, 2024

        Unfortunately, I'm sending it out as the HASH BASE64 code key value.