cancel
Showing results for 
Search instead for 
Did you mean: 

APM variable assign to trim ad group DN

Nolan_Jensen
Cirrostratus
Cirrostratus

I have created a variable assign in access policy based on some code I found on this site. This code allowed me to remove the AD distinguished name and just capture the name of the group in a variable.

 

That said we recently had a requirement to add a some leading characters to the group name that I also want to remove but not sure how to do both.

 

My current custom variable code this this

set mem_fields [split [mcget {session.ad.last.attr.memberOf}] "|"]; foreach mem $mem_fields { if { $mem contains "Test" } { set found $mem } }; set grp_fields [split $found "=,"]; return [lindex $grp_fields 1];

That takes this group DN CN=DIV-Test-123456-read-only,OU=Groups,OU=One,OU=Two,OU=Three,DC=Organization,DC=com

and converts to DIV-Test-123456-read-only

 

What I would like to do now is modify the code to return this instead (remove the DIV from the group name as well as remove all DN related stuff)

Test-123456-read-only

 

Thank you in advance for you time!

 

 

1 ACCEPTED SOLUTION

Nolan_Jensen
Cirrostratus
Cirrostratus

I figured this out, so updating incase someone else runs across this.

 

Since the group name I wanted to send had a bunch of - that made this more complex. So I changed the group name from

DIV-Test-123456-read-only

to

DIV_Test-123456-read-only (to an underscore instead of a - between DIV and Test)

 

This allowed me to then use this modified code:

I then added a _ to the Split $found section and change the $grp_fields from 1 to 2

set mem_fields [split [mcget {session.ad.last.attr.memberOf}] "|"]; foreach mem $mem_fields { if { $mem contains "Test" } { set found $mem } }; set grp_fields [split $found "=_,"]; return [lindex $grp_fields 2];

 

View solution in original post

1 REPLY 1

Nolan_Jensen
Cirrostratus
Cirrostratus

I figured this out, so updating incase someone else runs across this.

 

Since the group name I wanted to send had a bunch of - that made this more complex. So I changed the group name from

DIV-Test-123456-read-only

to

DIV_Test-123456-read-only (to an underscore instead of a - between DIV and Test)

 

This allowed me to then use this modified code:

I then added a _ to the Split $found section and change the $grp_fields from 1 to 2

set mem_fields [split [mcget {session.ad.last.attr.memberOf}] "|"]; foreach mem $mem_fields { if { $mem contains "Test" } { set found $mem } }; set grp_fields [split $found "=_,"]; return [lindex $grp_fields 2];