For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Sanitize special characters in AD groups names

Problem this snippet solves: With APM, when you query Active Directory to retrieve the groups membership, if an AD group contains one or several special characters, the name of the group is consider...
Published Apr 24, 2017
Version 1.0
active directory
application delivery
BIG-IP Access Policy Manager (APM)
devops
encoding
groups
hex
irule
iRules
Stanislas_Piro2's avatar
Stanislas_Piro2
Icon for Cumulonimbus rankCumulonimbus
Apr 24, 2017

Hi,

 

you can use string map instead of foreach / regsub...

 

when RULE_INIT {
set static::conversion_table {c3a8 65 c3a9 65 c3aa 65 c3ab 65 c2a3 3f}
}

when ACCESS_POLICY_AGENT_EVENT {
    if { [ACCESS::policy agent_id] eq "clean_group_names" } {
        set newMemberOf " | "
        set memberOf [ACCESS::session data get "session.ad.last.attr.memberOf"]
        set splited [split $memberOf "|"]
         Loop through all groups
        foreach field $splited {
             If the group starts with 0x, it is hexa, needs to be decoded
            if { $field starts_with " 0x" } {
                 remove spaces
                set trimed [string trim $field " "] 
                 skip the 0x at the beginning
                set hex_data [string tolower [substr $trimed 2]] 
                set hex_data [string map $static::conversion_table $hex_data]
                 Decode the hexa without special chars to string
                set groupStr [binary format H* $hex_data]
                 Concat the sanitize group name to the list
                set newMemberOf [concat $newMemberOf $groupStr " | "]
             The group is not hexa, just concat the value as it is
            } elseif { $field ne "" } {
                set newMemberOf [concat $newMemberOf $field " | "]
            }
        }
         Store the sanitize memberOf into a new session var
        ACCESS::session data set "session.custom.ad.memberOf" $newMemberOf
    }
}

I think you can also do it in variable assign instead of irule event...

 

you can try this code :

 

session.ad.last.attr.memberOf =

 

set conversion_table {c3a8 65 c3a9 65 c3aa 65 c3ab 65 c2a3 3f}
if { [info exists "groups"] }{unset groups;};
foreach field [mcget {session.ad.last.attr.memberOf}] {
    if { $field starts_with " 0x" } {
        set hex_data [string map $conversion_table [string range $field 2 end]];
        set groupStr [binary format H* $hex_data];
        lappend groups $groupStr;
    } else { lappend groups $field;};
};
unset -nocomplain conversion_table;
return $groups