APM LDAP by path
I'm trying to figure out a means to allow different LDAP query limits for different paths on the same server.
- https://example.com/italyonly/ - co=it
- https://example.com/groupFoo/ user in in group=foo
- https://example.com/employees/ user has workforce=yes
- https://example.com/italyonly/employees/ co=it AND workforce=yes
I can add the various ldap queries to a string datagroup indexed by hostname/path (as the virtual server will hopefully handle other servernames too) and insert them into a session.ldapsearch through use of a table/subtable. I tried just variables, but the iRule event ACCESS_POLICY_AGENT_EVENT does not appear to "see" variables created in other sections of the same iRule. This is further complicated when using http2 as request events can happen in different iRule context.
The issue is if I create an "LDAP Query" instance in the APM flow and use something like:
(cn=%{session.oauth.client.last.id_token.cn})
This works fine, but something like:
(&(cn=%{session.oauth.client.last.id_token.cn})(%{session.ldapsearch}))
Does NOT work as session.ldapsearch is RFC-4515 escaped as if it were a single entity instead of a formatted search.
How do people add different LDAP checks for differnt paths on a server using APM?
If this were just a single group membership, I think inserting the one "group name" needed for each host/path would be fairly straight forward.
I would hope that the requested url path would be found in session.server.landinguri but so far I'm testing things in the iRule using variants of [HTTP::host][HTTP::uri] for the lookups.