Forum Discussion
NimbostratusHow to do an AD query sending UPN to AD, and have AD return the "short" name that I can use to authenticate against ldap with
Hi Mark, Walter is right, although we've found that the APM LDAP Query action works best for this. You need to set up a query against your AAA server where the search filter is (sAMAccountName=%{session.logon.last.username}) and the required attributes are distinguishedName, sAMAccountName, and userPrincipalName. The searchDN should be the base OU where the users are located.
Then, you use a Variable Assign action to set the required variables:
Variable: session.logon.last.domain
Expression: expr { [string toupper [string map -nocase {,dc= .} [string range [mcget {session.ldap.last.attr.distinguishedName}] [expr [string first ",DC=" [mcget {session.ldap.last.attr.distinguishedName}] 0] +4] end ] ] ]}
Variable: session.logon.last.username
Expression: mcget {session.ldap.last.attr.sAMAccountName}
Mark_CloutierJust to confirm, the AAA server I run this LDAP query against has to be one of the AD servers right? The Oracle Access Manager LDAP server that I use for authentication doesn't know anything about UPN, hence the dilemma. Please be patient with an experienced LTM guy, who is very inexperienced with APM, LDAP and AD :) Mark- Yes, it needs to be an AD server.
