Forum Discussion
CirrocumulusAPM LDAP by path
EmployeeShoot. Sorry I misunderstood the internal writeup on this. Instead of not escaping itself it looks like it expects *you* to escape it manually. Can you try setting it to "\66\69\65\6C\64\3D\2A"? That should be "field=*".
You're going to have to double-escape them inside the iRule or policy agent config. TCL gets weird with escaping sometimes. The example I've got from bigip.conf where the variable is being set from a var-assign policy agent to "medusademo" to formulate a search filter is:
apm policy agent variable-assign /Common/ldaptest_act_variable_assign_ag {
variables {
{
expression "expr { \"\\\\59\\\\87\\\\FB\\\\A6\\\\AB\\\\1E\\\\D7\\\\40\\\\BE\\\\F8\\\\C7\\\\66\\\\C7\\\\DE\\\\CD\\\\56\" }"
varname session.objectguid.foo
}
}
}
apm policy agent aaa-ldap /Common/ldap_query_bar_act_ldap_query_ag {
filter "objectGUID=%{session.objectguid.foo}"
search-dn cn=users,dc=lab,dc=apm,dc=f5test,dc=local
server /Common/ldapQATest4
type query
}
If it doesn't work at first, packet capture a plaintext LDAP query so you can see what it's sending on the wire, the escaping might not be exactly right.
CirrocumulusIf the F5 is not autoescaping, and the entity value has problematic characters in it like "()*|!&:~\" those would break ldap searches, and the user would need to esape those someplace.
Normally the F5 does RFC-4515 escape strings. This makes sense for entities, but NOT for search filters.
The db option makes sense, however setting it seems to have no effect for me.
