Forum Discussion
NimbostratusLDAP query for machine account?
EmployeeWell...
That should also be possible. If you look at what session.windows_info_os.last.computer returns, you'll probably see something like this:
|SP3|SP3|MYDOMAIN.COM|SP3.MYDOMAIN.COM|SP3|SP3|MYDOMAIN.COM|SP3.MYDOMAIN.COM|
Not entirely useful as a query itself, considering the computer's object attributes might be any one of these. Example:
cn = SP3
dNSHostName = SP3.MYDOMAIN.COM
sAMAccountName = SP3$
So the first thing we need to do is settle on which object attribute to use, and then which value to use from the returned Windows Info agent. For this example I'll use the full qualified name:
when RULE_INIT {
set static::THIS_DOMAIN ".mydomain.com"
}
when ACCESS_POLICY_AGENT_EVENT {
set computer [string tolower [ACCESS::session data get session.windows_info_os.last.computer]]
foreach x [split $computer "|"] {
if { $x ends_with $static::THIS_DOMAIN } {
ACCESS::session data set session.windows_info_os.last.fqdn $x
return
}
}
}
This should return the fully qualified name from that list of names. Now modify the visual policy:
1. Windows Info agent (I stripped all of the branches out)
2. iRule Event agent (to process the above rule)
3. LDAP Query:
a. Server: previously-created LDAP AAA server
b. SearchDN = path to computer objects (ex. cn=Computers, dc=MYDOMAIN, dc=COM)
c. SearchFilter: dNSHostName=%{session.windows_info_os.last.fqdn}
d. Required Attributes (as required)
e. Modify the branch rule, replace existing with LDAP Query has Passed
The iRule will extract a single computer name value from the Windows Info agent, and set a temporary variable to stage the LDAP query. The LDAP query will look in the computer DN path for dNSHostName and return success (and a list of LDAP atttributes), or fail.
