I'm trying to use the AD Query Search Filter feature on APM and having some issues with it. Below is my search:
expr { [mcget {session.ad.last.attr.memberOf}] contains "CN=Test" }
I'm getti...
Thanks to everyone for all the help which was great. Michael got me in the right direction, I needed to put my query under the advanced branch rules section. As everyone else pointed out as well, the search filter field is for the LDAP query. There is actually a pre-built in condition which allows you to do this which I didn't see before (because I was looking at the search filter field as I thought that's where I needed to put it)
Example below:
Michael, I have used the AD group resouce assign for other functions but for this I just wanted to verify if a user was in a specific group before that could access a specific resurce. Didn't want any dynamic allocation etc.
Thanks for all the answers from the other posters.
Can I achieve same after kerberos authetication?
I tried putting AD query after kerbero auth and variable assignment. AD Query search filter %{session.sso.token.last.username} and I found following:
bigip info apmd[28998]: 01490007:6: /frontend/f5-kerberos:frontend:8e2e231e: Session variable 'session.logon.last.domain' set to 'DOMAIN1.DOMAIN.COM' bigip info apmd[28998]: 01490007:6: /frontend/f5-kerberos:frontend:8e2e231e: Session variable 'session.sso.token.last.username' set to 'user1' bigip info apmd[28998]: 01490007:6: /frontend/f5-kerberos:frontend:8e2e231e: Session variable 'userPrincipalName' set to 'user1' bigip info apmd[28998]: 01490004:6: /frontend/f5-kerberos:frontend:8e2e231e: Executed agent '/frontend/f5-kerberos_act_message_box_ag', return value 0 bigip info apmd[28998]: 01490006:6: /frontend/f5-kerberos:frontend:8e2e231e: Following rule 'fallback' from item 'Message Box' to item 'AD Query' bigip debug apmd[28998]: 01490011:7: /frontend/f5-kerberos:frontend:8e2e231e: AD agent: ENTER Function executeInstance bigip debug apmd[28998]: 01490231:7: /frontend/f5-kerberos:frontend:8e2e231e: AD Agent: Configured to use /frontend/AAA-Servers as a server bigip debug apmd[28998]: 01490023:7: /frontend/f5-kerberos:frontend:8e2e231e: AD module: ENTER Function queryActiveDirectory bigip err apmd[28998]: 01490107:3: /frontend/f5-kerberos:frontend:8e2e231e: AD module: query with 'user1' failed: empty password detected (-1) bigip debug apmd[28998]: 01490111:7: /frontend/f5-kerberos:frontend:8e2e231e: AD module: authenticate(): empty password detected (-1) bigip debug apmd[28998]: 01490024:7: /frontend/f5-kerberos:frontend:8e2e231e: AD module: LEAVE Function queryActiveDirectory bigip info apmd[28998]: 01490019:6: /frontend/f5-kerberos:frontend:8e2e231e: AD agent: Query: query with 'user1' failed bigip info apmd[28998]: 01490162:6: /frontend/f5-kerberos:frontend:8e2e231e: Username used for authentication contains domain information. Please enable 'Split domain from full Username' option in Logon Page if domain info should be separated from username for authentication to work properly. bigip debug apmd[28998]: 01490012:7: /frontend/f5-kerberos:frontend:8e2e231e: AD agent: LEAVE Function executeInstance bigip info apmd[28998]: 01490004:6: /frontend/f5-kerberos:frontend:8e2e231e: Executed agent '/frontend/f5-kerberos_act_active_directory_query_ag', return value 0 bigip notice apmd[28998]: 01490005:5: /frontend/f5-kerberos:frontend:8e2e231e: Following rule 'fallback' from item 'AD Query' to ending 'Deny' bigip notice apmd[28998]: 01490102:5: /frontend/f5-kerberos:frontend:8e2e231e: Access policy result: Logon_Deny bigip info apmd[28998]: 01490004:6: /frontend/f5-kerberos:frontend:8e2e231e: Executed agent '/frontend/f5-kerberos_end_deny_ag', return value 0