Forum Discussion
CirrostratusSending APM AD Query groups as a header
AdminHi SteveD1979 did you have any feedback after this reply from Scot_JC ?
CirrostratusNo i still don't have this working. Sorry I had other projects going on. This is my irule right now and it will send all of the member of in CN=, DN=, DN= format. The header is just too long. I'm trying to figure out a way to split it with an irule or if i have to create a custom variable in the VPE and call that.
when ACCESS_ACL_ALLOWED {
HTTP::header replace USERID [ACCESS::session data get session.logon.last.username]
HTTP::header replace GROUPS [ACCESS::session data get session.ad.last.attr.memberOf]
}
Not sure if this is more in Lucas_Thompson's wheelhouse, or JRahm, or Kai_Wilke, but tagging them all just in case.
- Kai_Wilke
MVP
All of your tagged guys could have answered the question. So first come first served... 😉
Cheers, Kai
- Kai_Wilke
Hi Steve,
you may run either a variable assignment or custom iRule event within your VPE Session Policy to build a tailordered group string matching your needs. You may:
- Filter the groups by name, so that only important groups (e.g. a specific name prefix/suffix, baseDN) will be delegated to your back-end.
- Truncate any fully qualified DN information
- Combine memberOf and primary group into one string.
- Remove any LDAP specific encodings from group names.
- Convert HEX to URI encoding for groups containing non-ASCII characters.
Note: The decission to use variable assignment or iRule events is based on the complexity of the processing. iRule events supporting a more flexible TCL syntax with lots of useful commands added by F5 (e.g. b64encode/URI::encode, findstr/substr, etc.) . Variable assignment expression are basically pure TCL language with limited and slightly more complex command sets.
The idea of performing such processing within the VPE Session Policy is, that you perform this heavy lifting just once for a given user-session and then simply inject the pre-computed information on a per-request basis either via iRule code (e.g. ACCESS_ACL_ALLOWED), via VPE Per-Request Policy or via JWT-SSO (which Nikoolayy1 has recommended) without CPU intensive processings.
Let me give you an example how I've used VPE expression in the past, to compute a tailordered group string:
VPE Variable Assignment:
Variable Name:
session.logon.last.truncated_groups
VPE Expression:
set memberOf [mcget {session.ad.last.attr.memberOf}]; set primarydn [mcget {session.ad.last.attr.primarygroup.dn}]; set primarymemberOf [mcget {session.ad.last.attr.primarygroup.memberOf}]; if { $memberOf ne "" } then { append in_groups $memberOf; }: if { $primarydn ne "" } then { append in_groups "|${primarydn}|"; }; if { $primarymemberOf ne "" } then { append in_groups $primarymemberOf; }; if { $in_groups ne "" } then { foreach group [split [string map [list "%" "%25" {\,} "%5C%2C" " || " "|" " ||" "|" "|| " "|" " | " "|" " |" "|" "| " "|" ] $in_groups] "|"] { lappend out_groups [string range $group [expr { [string first "=" $group] + 1 }] [expr { [string first "," $group] -1 }]]; }; set out_groups [string map [list "%5C%2C" {\,} "%25" "%" ] [join [lsort -unique [lsearch -all -inline $out_groups "*?*"]] "|"]]; return $out_groups; } else { return ""; };Note: Keep in mind that a Group CN isn't a unique value in an AD infrastructure. Best practises is that the CN should match the actual Pre-Win2000 Group Name (this value is unique) so that you could savely truncate the DN notation. But you never know how creative your AD admins are. You may clarify this before starting to truncate DN notations...
Using VPE based iRule events (e.g. ACCESS_POLICY_AGENT_EVENT) gives you more flexibility. The sample above could be simplified using a couple F5 specific iRule commands and would also allow you to convert HEX encoded AD Groups containing special character sets (e.g. german umlaute) back to UTF while adding URI::encoding to it, so its would become safe to intert the string in an HTTP header.
Let me know if you need further assitance...
Cheers, Kai
