Sending APM AD Query groups as a header

Question

Hi I'm setting up an APM with Kerberos auth that also needs to authenticate group membership to the applications. They application owners also need to see which groups the users are members of to know what type of permissions they're assigned. Users could be in multiple groups. I have the Kerbers auth and the AD query working but the irule sends all of the groups in the memberOf field as a header and in CN=group,DC=domain,DC=local format. Can anyone help?

This is the irule i have

when HTTP_REQUEST_SEND {
clientside {
HTTP::header replace GROUPS [ACCESS::session data get session.ad.last.attr.memberOf]}
HTTP::header replace USER [ACCESS::session data get session.ad.last.attr.name]
}
}

Would something like this work?

when HTTP_REQUEST_SEND {
clientside {
HTTP::header replace GROUPS {[split [string map [list {| CN=} \0] $s] \0 ] [ACCESS::session data get session.ad.last.attr.memberOf]}
HTTP::header replace USER [ACCESS::session data get session.ad.last.attr.name]
}
}

steved1979 · Answer

The only thing is I'm not using the primary group.&nbsp; I'm changing the branch rule to branch rule 1&nbsp;CN=AD group i'm checking against for membership and permissions to the application.

buulam · Answer

Hi&nbsp;SteveD1979&nbsp;did you have any feedback after this reply from Scot_JC&nbsp;&nbsp;?

kai_wilke · Answer

Hi Steve,
you may run either a variable assignment or custom iRule event within your VPE Session Policy to build a tailordered group string matching your needs. You may:

Filter the groups by name, so that only important groups (e.g. a specific name prefix/suffix, baseDN) will be delegated to your back-end.
Truncate any fully qualified DN information
Combine memberOf and primary group into one string.
Remove any LDAP specific encodings from group names.
Convert HEX to URI encoding for groups containing non-ASCII characters.&nbsp;&nbsp;

Note: The decission to use variable assignment or iRule events is based on the complexity of the processing. iRule events supporting a more flexible TCL syntax with lots of useful commands added by F5 (e.g. b64encode/URI::encode, findstr/substr, etc.) . Variable assignment expression are basically pure TCL language with limited and slightly more complex command sets.&nbsp;&nbsp;
The idea of performing such processing within the&nbsp;VPE Session Policy is, that you perform this heavy lifting just once for a given user-session and then simply inject the pre-computed information on a per-request basis either via iRule code (e.g. ACCESS_ACL_ALLOWED), via VPE Per-Request Policy or via JWT-SSO (which Nikoolayy1&nbsp;has recommended) without CPU intensive processings.
Let me give you an example how I've used VPE expression in the past, to compute a tailordered group string:
VPE Variable Assignment:
Variable Name: 
session.logon.last.truncated_groups
VPE Expression:
set memberOf [mcget {session.ad.last.attr.memberOf}];
set primarydn [mcget {session.ad.last.attr.primarygroup.dn}];
set primarymemberOf [mcget {session.ad.last.attr.primarygroup.memberOf}];
if { $memberOf ne "" } then {
	append in_groups $memberOf;
}:
if { $primarydn ne "" } then {
	append in_groups "|${primarydn}|";
};
if { $primarymemberOf ne "" } then {
	append in_groups $primarymemberOf;
};
if { $in_groups ne "" } then {
	foreach group [split [string map [list "%" "%25" {\,} "%5C%2C" " || " "|" " ||" "|" "|| " "|" " | " "|" " |" "|" "| " "|" ] $in_groups] "|"] {
		lappend out_groups [string range $group [expr { [string first "=" $group] + 1 }] [expr { [string first "," $group] -1 }]];
	};
	set out_groups [string map [list "%5C%2C" {\,} "%25" "%" ] [join [lsort -unique [lsearch -all -inline $out_groups "*?*"]] "|"]];
	return $out_groups;
} else {
	return "";
}; 
Note: Keep in mind that a Group CN isn't a unique value in an AD infrastructure. Best practises is that the CN should match the actual Pre-Win2000 Group Name (this value is unique) so that you could savely truncate the DN notation. But you never know how creative your AD admins are. You may clarify this before starting to truncate DN notations...&nbsp;
Using VPE based iRule events (e.g. ACCESS_POLICY_AGENT_EVENT) gives you more flexibility. The sample above could be simplified using a couple F5 specific iRule commands and would also allow you to convert HEX encoded AD Groups containing special character sets (e.g. german umlaute) back to UTF while adding URI::encoding to it, so its would become safe to intert the string in an HTTP header.&nbsp;&nbsp;
Let me know if you need further assitance...
Cheers, Kai

kai_wilke · Answer

All of your tagged guys could have answered the question. So first come first served... 😉&nbsp;
Cheers, Kai

nikoolayy1 · Answer

Better play an test to make it work as I have not done this myself but you can also try&nbsp;session.ad.last.attr.primaryGroupID&nbsp; https://techdocs.f5.com/en-us/bigip-15-0-0/big-ip-access-policy-manager-visual-policy-editor/per-request-policy-item-reference/about-per-req-authentication-items/about-ad-group-lookup.html
&nbsp;
Other than that to make it more secure better use F5 Bearer SSO JWT sign in than HTTP header as F5 can provide the groups in the JWT token that is signed by an F5 Cert that the applications can also have.
&nbsp;
https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/product/big-ip-access-policy-manager-single-sign-on-concepts-configuration-14-1-0/04.html
&nbsp;

Forum Discussion

Sending APM AD Query groups as a header

9 Replies

Recent Discussions

CONNECTION IS LOST DUE TO SELF IP IS DELIVERED

ASM instance creation

Can iRule mask the payload content on event logs of security

Disacard SSL::cert mode to ignore when default SSLClient profile is set to request or require

F5Access | MacOS Sonoma

Related Content

Certified Kubernetes Administrator - Study Group

GTM synchronization group

Security headers

ha group

VLAN Group and Asymmetric Deployment