Forum Discussion

Cirrus

Jan 23, 2023

APM Access Policy - Pass LDAP or AD Query variable

Is it possible to query whether a user has a value for one or another variable then use that to pass or fail passage down the rest of the swimlane for access? (e.g.- expr {[mcget {session.ad.session....

access policy

ad query

BIG-IP Access Policy Manager (APM)

devops

jamie_staples

Cirrus

Jan 26, 2023

Thank you for your time and answer....that helps solidify what I thought I knew...my problem is that the branch rule that I try doesn't work the way it should for a known good...

Branch rule: expr {[mcget {session.ad.session.ad.last.attr.variable1}] != "" || [mcget {session.ad.session.ad.last.attr.variable2}] != ""}

For my test account there is a value for variable 1, but the debug logs say that it can't be found nor is it memcached.

What am I missing?

Lucas_Thompson

Employee

Jan 26, 2023

If you get a log that the variable is not found, then the AD Query agent must not have created it. The LDAP Search performed by AD Query includes a default attribute filter that you can adjust or remove. By default only these "Required Attributes" are returned by the search:

So if you need additional attributes than these, you can add them.

jamie_staples
Cirrus
Mar 15, 2023
If the additional attributes ARE among the required attributes, and I am still getting the variable is not found, what do I do?
If I have removed some of the "required attributes", does that break something? Do I always have to use the specific required attributes AND any additional attributes?