Forum Discussion
Sending APM AD Query groups as a header
Hi I'm setting up an APM with Kerberos auth that also needs to authenticate group membership to the applications. They application owners also need to see which groups the users are members of to know what type of permissions they're assigned. Users could be in multiple groups. I have the Kerbers auth and the AD query working but the irule sends all of the groups in the memberOf field as a header and in CN=group,DC=domain,DC=local format. Can anyone help?
This is the irule i have
when HTTP_REQUEST_SEND {
clientside {
HTTP::header replace GROUPS [ACCESS::session data get session.ad.last.attr.memberOf]}
HTTP::header replace USER [ACCESS::session data get session.ad.last.attr.name]
}
}
Would something like this work?
when HTTP_REQUEST_SEND {
clientside {
HTTP::header replace GROUPS {[split [string map [list {| CN=} \0] $s] \0 ] [ACCESS::session data get session.ad.last.attr.memberOf]}
HTTP::header replace USER [ACCESS::session data get session.ad.last.attr.name]
}
}
Better play an test to make it work as I have not done this myself but you can also try session.ad.last.attr.primaryGroupID https://techdocs.f5.com/en-us/bigip-15-0-0/big-ip-access-policy-manager-visual-policy-editor/per-request-policy-item-reference/about-per-req-authentication-items/about-ad-group-lookup.html
Other than that to make it more secure better use F5 Bearer SSO JWT sign in than HTTP header as F5 can provide the groups in the JWT token that is signed by an F5 Cert that the applications can also have.
- SteveD1979Cirrostratus
The only thing is I'm not using the primary group. I'm changing the branch rule to branch rule 1 CN=AD group i'm checking against for membership and permissions to the application.
SteveD1979 - I have marked "Accept As Solution" on Nikoolayy1 's response. It appears correct and doing so will help others better discover his solution.
If you think this is wrong, feel free to correct me here.
To unselect as solution go to the options dropdown in the reply and choose "Not The Solution"- Scot_JCEmployee
Hi,
Such piece of code should work (HTTP_REQUEST_RELEASE is valid, too) and, taking for granted the group membership piece of data does not violate HTTP RFC (syntax, size, ...), I'd suggest we try we removing the directive "clientside".
Otherwise, the perRequest policies come with the "HTTP Headers" agents that should do just that!
- buulamAdmin
Hi SteveD1979 did you have any feedback after this reply from Scot_JC ?
- SteveD1979Cirrostratus
No i still don't have this working. Sorry I had other projects going on. This is my irule right now and it will send all of the member of in CN=, DN=, DN= format. The header is just too long. I'm trying to figure out a way to split it with an irule or if i have to create a custom variable in the VPE and call that.
when ACCESS_ACL_ALLOWED {
HTTP::header replace USERID [ACCESS::session data get session.logon.last.username]
HTTP::header replace GROUPS [ACCESS::session data get session.ad.last.attr.memberOf]
}
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com