LDAP Query for Attribute
I apologize if this has been covered in a different article, but I have not been able to find anything that I've had success with.
In my environment, a user's DistinguishedName is totally unique, and they have no awareness as to what this attribute is. Users log in with their SamAccountName, which is different than anything in the DN string.
Example: Bob logs in with bob1234 but his DN is CN=Smith\, Bob1,DC=domain,DC=com
What I want to do is use an LDAP query (before authenticating), with what the user entered at login (SamAccountName), to probe the domain for a user matching that string, and assign the DistinguishedName from that user to session.logon.last.username via. variable assignment later.
In my LDAP query I only have the SearchFilter defined:
(SamAccountName=%{session.logon.last.username})
I assume the administrative user and Base Search DN are inherited from the LDAP Authentication Profile, so I have left the SearchDN empty. I thought I could query a user's attributes from the F5 without them even authenticating, but in practice it does not work. I am always presented with this log when I try:
/Common/S3-LDAP-POLICY_Test:Common:ba183ab6: LDAP Module: Failed to make ldap_search in 'DC=domain,DC=com' with filter '(SamAccountName=bob) ' and scope '2'. Bad search filter.
Is this something I can even potentially do with APM?
I ultimately got this working by creating an LDAP Query action, I used the following as a SearchFilter:
(SamAccountName=%{session.logon.last.username})
I set DistinguishedName as a required attribute so that I was able to use it later. These are case sensitive when you try to use them in Variable Assigns, so make sure to check the session variables after a login attempt if things aren't working.
The format of my LDAP users DN is CN=Bob\, Smith... or CN=Bob... so I had to cover both cases. The F5 adds an extra slash to the session variable to make it a literal slash in TCL (my guess). I had to create a variable assign to remove that extra slash so when it's sent to the LDAP server it understands it.
This was the expression field of my variable assign:
set dn "[mcget {session.ldap.last.attr.dn}]" if {[string first "\\" $dn] != -1} { return [string map {\\\\ \\} $dn] } else { return $dn }
Finally I created an LDAP auth action with the following in the UserDN. SearchDN and SearchFilter are empty.
I had to open a case with F5 to figure out how to not send hex to my LDAP server. They key is the :noconv function.
%{dn:noconv}
After this authentication worked!!