For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

umiotoko_95283's avatar
umiotoko_95283
Icon for Nimbostratus rankNimbostratus
Jun 05, 2012

Custom variable from LDAP

I have a VIP with APM using LDAP (Windows 2008 AD) for authentication, this much works fine. I need to grab some AD fields through the LDAP call and provide it to the application.

 

 

My thought was to use the custom variable feature in APM, create a customVariable.ldap."field-name" variable, then through an iRule, create a HTTP header "X-Application-"Field-name" and pass it on to the application.

 

 

My APM rule has a logon page, LDAP Auth, assign variable, then Allow.

 

 

I tried using Variable Assign (both secure, unsecure)

 

where customVariable.ldap.department = AAA atribute, agent LDAP, use KDAP attribute "department" .

 

 

This doesn't appear to work, if I check the user session report I see the custom variable, but it's always blank.

 

 

I'm not sure this is the best way to get at the data, so any suggestions would be appreciated.

 

app sec
BIG-IP Access Policy Manager (APM)
security

2 Replies

  • umiotoko_95283's avatar
    umiotoko_95283
    Icon for Nimbostratus rankNimbostratus
    Jun 20, 2012
    OK, figured it out. APM log rule was LogonPage-->LDAPAuth-->Allow.

     

     

    The LDAP fields are not brought over unless a LDAPquery is used, so modifying the rule to:

     

     

    LogonPage-->LDAPAuth-->LDAPQuery---> Allow.

     

     

    Fixed the problem. I didn't need the LDAPquery here, but by inserting it (member of domain users) we get all the LDAP fields back, so it was just a process problem. Doh !