Forum Discussion
Nimbostratusset/overide session values via iRule
we are using the Loop "function" in a APM policy to handle the Login page
in this loop we need to separate different possible login methods (email, loginname,….) which we do in a iRule. We found some inexplicable behavior when we have the second roundtrip. The changes via iRule remains in the last set value
When I log the value inside the irule it is correct, a Logging Item shows the old value.
Is there any “sync” needed?
7 Replies
Seth_CooperEmployee
Hi,
You are running in to BugId 420284. What happens is iRules run in tmm and Access Policy (login page, etc) run in apd. When APD get the session variable from tmm it will cache the results and it will not update the cached results even if the variable has change in tmm, the BugId is to change this behavior. Please open a case with F5 Support asking your company to be linked to the BugId.
Now... you do have some options to workaround this limitation. If you can share exactly what you are trying to do with a screenshot of the VPE, show all information that would be needed to troubleshoot and provide your iRule I can help come up with a way to make this work for you.
Seth
jk20004Cirrus
Hi Seth,
what we do first is to give to user the option to login with the username, email upn and also older Domain\Username versions, second if we have identified the user we need to know the country (for only one special country) to authenticate on a other DC. We have a iRule Event after the Logon Page and there we get the username from the logonpage
set logonname [string trim [string tolower [ACCESS::session data get {session.logon.last.username}]]]and after all the logic we set the logontype and the required field via
.ACCESS::session data setVia the BranchRules (of the Irule Event) and the logontype we choose different LDAP Query with corresponding SearchFilter using the Values set in the iRule
I also opened a Case and uploaded a qkview to ihealth
Stanislas_Piro2Cumulonimbus
Hi,
You can use search filter matching all types:
(|(sAMAccountName=%{session.logon.last.logonname})(UserPrincipalName=%{session.logon.last.logonname})(mail=%{session.logon.last.logonname}))- jk20004
yes and no.
Some Parts for example the required trim (don’t know why user are adding spaces at the end of their username) can be done via Variable Assign but there is a little bit more logic inside the iRule when user uses Domain/Username.
- Stanislas_Piro2
Variable assign can do lots of things without using iRules:
session.logon.last.username = set username [string trim [mcget {session.logon.last.logonname}]]; if { $username contains "\\" } { return [string range $username [expr {[string first "\\" $username] +1}] end ]; } else { return $username }or you can split username with logon page split option.
- Seth_Cooper
Try this in a VPE variable assign before your iRule event and then remove the iRule event and use an empty VPE action...
session.custom.logontype = set logonname [string trim [mcget {session.logon.last.username}]]; if { [string length $logonname] == 0 } { return "99" } else { if { $logonname starts_with "company-" } { return "1"; } elseif { $logonname ends_with ".com"} then { return "2"; } elseif { $logonname contains "company.net"} { if { $logonname contains "\\"} { return "1"; } else { return "3"; } } else { return "1"; } }Then in the action after the variable assign you can create a empty VPE action that checks the session.custom.logontype session variable value and proceeds down the branch needed.
Please let me know if this helps.
Seth
- Stanislas_Piro2
Same variable assign as Seth, but with a switch instead of multiple if:
session.custom.logontype = set username [string trim [mcget {session.logon.last.logonname}]]; switch -glob $username { "*@*" { return 1 } "*\\\\*" { return 2 } default { return 3 } }I use session.logon.last.logonname and not session.logon.last.username to be sure logon page "Split domain from full Username" option does not change behavior.
