Forum Discussion

SteveD1979's avatar
Oct 31, 2022

Sending APM AD Query groups as a header

Hi I'm setting up an APM with Kerberos auth that also needs to authenticate group membership to the applications.  They application owners also need to see which groups the users are members of to know what type of permissions they're assigned.  Users could be in multiple groups.  I have the Kerbers auth and the AD query working but the irule sends all of the groups in the memberOf field as a header and in CN=group,DC=domain,DC=local format.  Can anyone help?

This is the irule i have

when HTTP_REQUEST_SEND {
clientside {
HTTP::header replace GROUPS [ACCESS::session data get session.ad.last.attr.memberOf]}
HTTP::header replace USER [ACCESS::session data get session.ad.last.attr.name]
}
}

Would something like this work?

 

when HTTP_REQUEST_SEND {
clientside {
HTTP::header replace GROUPS {[split [string map [list {| CN=} \0] $s] \0 ] [ACCESS::session data get session.ad.last.attr.memberOf]}
HTTP::header replace USER [ACCESS::session data get session.ad.last.attr.name]
}
}

9 Replies