Ldap query from ltm

but the irule is assigned on the virtual server\resources menu. Do I have to assign it using the visual manager?

It shouldn't matter where it is in the visual policy as long as the flow makes sense. It may be simpler at this point to back out and test the LDAP query by itself. If you can create a NEW access profile, please do so and follow these steps:

1. Create your LDAP AAA

2. Create your new access profile and open the visual policy editor

3. Add a Variable assignment agent as the first new item and create a custom session variable. Example:

   session.custom.user = expr { "bob.user" }
   

   Substitute the user with some name you know exists in the LDAP directory.

4. After the Variable assignment, create your LDAP Query agent.

   • AAA server - the LDAP AAA server you just created
   • SearchDN - the DN path where users can be found.

   • SearchFilter - this is the LDAP object you're looking for, based on the previously-created custom variable. Example:

     userPrincipalName=%{session.custom.user}
     

5. Go to the Branch tab of the LDAP Query agent.

   • Change the Name field to something like "Query passed"
   • Click the Change link
   • Click the x in the top right corner to delete the existing expression
   • Click the Add Expression button
   • Agent Sel should be "LDAP Query"
   • Condition should be "LDAP Query Passed"
   • Click the Add Expression button
   • Click Finished
   • Click Save

Set the ending block after the Query passed branch to Allow and test this access policy attached to a VIP. The idea here is that you've short circuited the process to focus on the LDAP query itself. If the query works with the static user value from the custom variable, you should be able to run an access policy report and see all of the LDAP values returned. You then just need to:

• Modify how the custom variable is set - presumably from HTTP request URI data
• Apply this same LDAP query configuration to your original access profile