For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Florian_Meister's avatar
Florian_Meister
Icon for Nimbostratus rankNimbostratus
Oct 15, 2013

there is another very, very annoying issue concerning the use of %{} in APM elements:

it seems that if using elements like suggessted before

%{session.custom.dnpart0},%{session.custom.dnpart1},%{session.custom.dnpart2}

they get sorted for I don't know what reason ?!?

I want to split the DN and then sort it reverse, so that the most significant part is the element 0 - not the least significant. I want to use that for simply using only X elements of the DN, even if there were more specified. So I can use:

%{session.custom.dnpart2},%{session.custom.dnpart1},%{session.custom.dnpart0}

and simply not use other less significant parts of the DN for searching.

I tried that and had no idea why it was not working. The message was like: 

Oct 15 10:52:16 ras1zh info tmm6[10190]: Rule /Common/portal_ras_access-policy : portal_logon_post: entering ...
Oct 15 10:52:16 ras1zh info tmm6[10190]: Rule /Common/portal_ras_access-policy : portal_logon_post: SearchDN: ou=ABX,ou=Kunden,dc=abxsec,dc=com
Oct 15 10:52:16 ras1zh info tmm6[10190]: Rule /Common/portal_ras_access-policy : portal_logon_post: length = 4
Oct 15 10:52:16 ras1zh info tmm6[10190]: Rule /Common/portal_ras_access-policy : portal_logon_post: entering loop ...
Oct 15 10:52:16 ras1zh info tmm6[10190]: Rule /Common/portal_ras_access-policy : portal_logon_post: session.custom.dnpart0: dc=com
Oct 15 10:52:16 ras1zh info tmm6[10190]: Rule /Common/portal_ras_access-policy : portal_logon_post: session.custom.dnpart1: dc=abxsec
Oct 15 10:52:16 ras1zh info tmm6[10190]: Rule /Common/portal_ras_access-policy : portal_logon_post: session.custom.dnpart2: ou=Kunden
Oct 15 10:52:16 ras1zh info tmm6[10190]: Rule /Common/portal_ras_access-policy : portal_logon_post: session.custom.dnpart3: ou=ABX
Oct 15 10:52:16 ras1zh info tmm6[10190]: Rule /Common/portal_ras_access-policy : portal_logon_post: leaving ...
Oct 15 10:52:16 ras1zh err apd[6742]: 01490110:3: dbd1d089: LDAP module: query with 'uid=axfme02' failed: No such object, dn: dc=com,dc=abxsec,ou=Kunden,ou=ABX scope: 2 filter: uid=axfme02  (32)

as you can see above, I log the elements of the DN. And normally it the search DN should be correct and not reversed. I thought there is a problem with syncing or something like that. I tried to put in the elements one by one in the search-dn field of the LDAP query, and there the variables are used correctly. I also tried to use no "comma" as seperator, instead I used "--" as a seperator. And was really astonished that it substituted the variables correctly.

I was on the right way. I used the following entry in the search DN field:

%{session.custom.dnpart2},%{session.custom.dnpart1},%{session.custom.dnpart0}--

and what happens ? It does not get sorted and would work if there were not this f.... "--" at the end:

Oct 15 10:54:09 ras1zh err apd[6742]: 01490110:3: 3fe6dc68: LDAP module: authentication with 'uid=axfme02' failed: No such object, base: ou=ABX,ou=Kunden,dc=abxsec,dc=com -- scope: 2 filter: uid=axfme02  (32)

I'm really disappointed. Why do F5 think that it needs to do such odd things with MY input ?? I don't want to somehow sort or escape my variables. I want them to be as they are.

Can somebody help here ??

best regards,

Florian