How to keep only the value of "CN" part in session.ldap.last.attr.memberOf

Question

Hi all,&nbsp;
I have been reading around here on devcentral and I did found some articles which I tried out , but I can't get this to work.
We have an ldap server which responds with group names, and we only want to keep the value of the first CN.
I have followed the article below, but when it runs, all I get is "Rule evaluation failed with error: can't read "Groups": no such variable". &nbsp;
Ref.: https://devcentral.f5.com/questions/how-to-get-group-name-cn-from-sessionadlastattrmemberof-51188&nbsp;
| CN=123456789,ou=customers,ou=Groups,dc=example,dc=com | CN=webapp,ou=applications,ou=Groups,dc=example,dc=com |&nbsp;
In the example above, I only want to keep the value of the first CN (123456789), and save that value to variable (which in turn I will use in a header for the backend). The CN value is different for each user.&nbsp;

stanislas_piro2 · Answer

Look at this article:
https://devcentral.f5.com/codeshare/apm-variable-assign-examples-1107
use this variable assign:
set group_name[split [lindex [mcget {session.ldap.last.attr.memberOf}] 0] ",="]; 
foreach {name value} $group_name{
    if {[string trim $name] equals "CN"} { 
        return [string trim $value]; 
    } 
}

kai_wilke · Answer

Hi Jim,
if your CN values MAY contain escaped comma signs (aka. $1 sequence), then use one of the code snippet(s) below. The snippet(s) will check for those escaped comma signs and take care of them...
Short but difficult to understand snipped:
set group_string [mcget "session.ldap.last.attr.memberOf "] ;
if { $group_string contains "\," } then {
    return [string map { "" "\," } [string range [set escaped_group_string [string map { "\," "" } $group_string]] [expr { [string first "CN=" $escaped_group_string] + 3 }] [expr { [string first "," $escaped_group_string] -1 }]]] ;
} else {
    return [string range $group_string [expr { [string first "CN=" $group_string] + 3 }] [expr { [string first "," $group_string] -1 }]] ;
} ;

Long but easy to understand snipped:
set group_string [mcget "session.ldap.last.attr.memberOf "] ;
if { $group_string contains "\," } then {
    set escaped_group_string [string map { "\," "" } $group_string];
    set string_start [expr { [string first "CN=" $escaped_group_string] + 3 }] ;
    set string_stop [expr { [string first "," $escaped_group_string] -1 }] ;
    set escaped_result_string [string range $escaped_group_string $string_start $string_stop] ;
    set result_string [string map { "" "\," } $escaped_result_string] ;
    return $result_string ;
} else {
    set string_start [expr { [string first "CN=" $group_string] + 3 }] ;
    set string_stop [expr { [string first "," $group_string] -1 }] ;
    set result_string [string range $group_string $string_start $string_stop] ;
    return $result_string ;
} ;

Cheers, Kai

Forum Discussion

How to keep only the value of "CN" part in session.ldap.last.attr.memberOf

2 Replies

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

Failing over Virtual F5 VE to DR location using Zerto

Failing over of a Virtual F5 configuration to another location using Zerto restore process

F5 Networks F5CAB1 Exam - Need Help Regarding Prep

Username is not filled in EdgeClient in the Modern customization

The GSLB pool is providing an incorrect IP to end users

Related Content

HTTPS Routing based on Client Certificates values with F5 Distributed Cloud

Parameter Value - Regular Expression

APM Cookbook: Modify LDAP Attribute Values using iRulesLX

iRule Checking for No Value

iRule to Remove Duplicate Header by Value

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS