17-Apr-2023 15:13 - edited 17-Apr-2023 15:15
Hi,
I'm attempting to assign resources to a user if their user name, retrieved during authentication, exists in a list. I've tried many combinations of the following to no avail:
expr { lsearch {"user1" "user2" "user3"} [mcget {session.logon.last.username}] }
I've also tried (many, many) combinations of:
expr { [mcget {session.logon.last.username}] in {"user1" "user2" "user3"} }
or
expr { [mcget {session.logon.last.username}] in [list "user1" "user2" "user3"] }
None of these works.
This works though but rather not use it, there are corner cases where it can fail:
expr { "user1 user2 user3" contains [mcget {session.logon.last.username}] }
Any ideas?
Sys::Version
Main Package
Product BIG-IP
Version 16.1.3.3
Thanks!
17-Apr-2023 20:28
Hi nickamon,
I think multiple variable cannot be compare without using "or" in the expression. Using iRule can help.
expr { [mcget {session.logon.last.usergroup}] equals "usergroup1" }
iRule:
when ACCESS_POLICY_AGENT_EVENT {
if { [ACCESS::policy agent_id] eq "usercheck" } {
if { [class match [ACCESS::session data get "session.logon.last.username"] equals /Common/dg_userlist1] } {
ACCESS::session data set session.logon.last.usergroup "usergroup1"
}
elseif { [class match [ACCESS::session data get "session.logon.last.username"] equals /Common/dg_userlist2] } {
ACCESS::session data set session.logon.last.usergroup "usergroup2"
}
elseif { [class match [ACCESS::session data get "session.logon.last.username"] equals /Common/dg_userlist3] } {
ACCESS::session data set session.logon.last.usergroup "usergroup3"
}
else {
ACCESS::session data set session.logon.last.usergroup "usergroup4"
}
}
}
If you add the datagroup records as string-value(username-variable), you can use only one datagroup and simplify the iRule by assigning datagroup parameter's value to the variable.
when ACCESS_POLICY_AGENT_EVENT {
if { [ACCESS::policy agent_id] eq "usercheck" } {
if { [class match [ACCESS::session data get "session.logon.last.username"] equals /Common/dg_userlist] } {
ACCESS::session data set session.logon.last.usergroup [class match -value [ACCESS::session data get "session.logon.last.username"] equals /Common/dg_userlist]
}
else {
ACCESS::session data set session.logon.last.usergroup "nondatagroupuser"
}
}
}