LDAP Group Resource Assign - not working - APM 11.6 HF6

Question

I have a portal access policy that allows the user to authenticate into the portal but when the LDAP Group Resource Assign assigns the Group (LDAP Room 999999)  the user receives "denied by access policy".  The user is actually in a LDAP room versus a LDAP Group so my syntax may be incorrect.&nbsp;
This is what i have configured to use to try to use LDAP Group/Room:
expr { [mcget {session.ldap.last.attr.roomNumber}] contains  [mcget {session.aa.room}] }&nbsp;
It may be that LDAP rooms are not the same as LDAP Groups or i believe TAC was telling me to change the expression but not sure how to do that.&nbsp;
Any ideas are greatly appreciated.&nbsp;

josiah_39459 · Answer

I would suggest using the sessiondump command or viewing the session report to make sure those variables are being set the way you expect.  There is nothing wrong with the TCL expression you have written, so you need to verify those variables contain the values you expect them to.

Forum Discussion

LDAP Group Resource Assign - not working - APM 11.6 HF6

1 Reply

F5 Container Ingress Services (CIS) and using k8s traffic policies to send traffic directly to pods

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

Resetting to Factory Default

sslprovide (--f5 ssl) does not generate CLIENT/SERVER_TRAFFIC_SECRET on server-side TLS traffic

Issue with IIS and Client Component Service Load balancing

Syslog Filter Configuration for Separating Audit and LTM logs.

Use F5 APM as Forward Proxy

Related Content

DevCentral Resources

APM variable assign examples

Overview of MITRE ATT&CK Tactic: TA0042 – Resource Development

SSO Resource Assignment

F5 Resources for COVID-19

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS