Forum Discussion
R__Clark_149098
Altocumulus
AltocumulusLDAP Query for Attribute
I apologize if this has been covered in a different article, but I have not been able to find anything that I've had success with.
In my environment, a user's DistinguishedName is totally unique, ...
I ultimately got this working by creating an LDAP Query action, I used the following as a SearchFilter:
(SamAccountName=%{session.logon.last.username})I set DistinguishedName as a required attribute so that I was able to use it later. These are case sensitive when you try to use them in Variable Assigns, so make sure to check the session variables after a login attempt if things aren't working.
The format of my LDAP users DN is CN=Bob\, Smith... or CN=Bob... so I had to cover both cases. The F5 adds an extra slash to the session variable to make it a literal slash in TCL (my guess). I had to create a variable assign to remove that extra slash so when it's sent to the LDAP server it understands it.
This was the expression field of my variable assign:
set dn "[mcget {session.ldap.last.attr.dn}]" if {[string first "\\" $dn] != -1} { return [string map {\\\\ \\} $dn] } else { return $dn }Finally I created an LDAP auth action with the following in the UserDN. SearchDN and SearchFilter are empty.
I had to open a case with F5 to figure out how to not send hex to my LDAP server. They key is the :noconv function.
%{dn:noconv}After this authentication worked!!
R__Clark_149098Altocumulus
AltocumulusJust out of curiosity why is hex sent to the LDAP server when the session variable does not contain hex? It's confusing when you have to fight with this when it appears as though the session variable is correct.
I wouldn't need a variable assign at all if the F5 sent the authentication string how the distinguishedName session variable appears in the UI.