Forum Discussion

MXV_164448's avatar
MXV_164448
Icon for Nimbostratus rankNimbostratus
Mar 30, 2015

Active directory retrieve memberof group CN

Hi,

 

How can I retrieve the group common name from a AD Query ? I can't find any info except how to get DN of groups

 

Thanks

 

Max

 

APM
design
microsoft
security

6 Replies

Sort By
  • amolari's avatar
    amolari
    Icon for Cirrus rankCirrus
    Sep 21, 2015

    There is one use case I'm thinking of that would require the group to be only the first CN value: SAML multi-value attribute (unfortunately not working properly yet due to the fact that APM won't split the group list in multiple value fields). In such case one wouldn't probably like to send the DN but only the first CN field value.

     

    An option to retrieve the groups in such format or an additional variable in such format would be appreciated :-)

     

    Alex

     

  • Seth_Cooper's avatar
    Seth_Cooper
    Icon for Employee rankEmployee
    Mar 30, 2015

    AD returns the group information with the full DN and that is stored in the session.ad.last.attr.memberOf session variable. If you just want the CN for the group you will need to strip off the parts of the strings you don't want.

     

    What is the purpose of just wanting the group name returned instead of the full DN?

     

    Seth

     

  • MXV_164448's avatar
    MXV_164448
    Icon for Nimbostratus rankNimbostratus
    Mar 30, 2015

    I'm not sure how I can strip the unwanted part, do you have a hint ?

     

    I need to fill out the Roles claim in a adfs - f5 configuration and it seem that Sharepoint is using it in the cn format Thanks

     

    Max

     

  • Seth_Cooper's avatar
    Seth_Cooper
    Icon for Employee rankEmployee
    Mar 30, 2015

    Will you just send one group in the claim? Do you need all groups returned by AD to be stripped down and sent in a certain format?

     

    The memberOf attribute is a multi-value field. You can have an iRule event that will grab the session variable, do the string manipulation you need, then set a new session variable that you can use later. You could also possibly do an ad query and have branch rules per group (if you are doing a one to one mapping) and then do a variable assign to a custom variable that you use later.

     

    Seth

     

  • MXV_164448's avatar
    MXV_164448
    Icon for Nimbostratus rankNimbostratus
    Mar 30, 2015

    I though that I could find a var like session.ad.last.attr.memberof.cn that would retrieve the group names.

     

    I don't know if I will be able to use all group in a multi-value variable or if I will need to split to different variables. I need to test it with sharepoint

     

    Thanks for your reply

     

    Max

     

  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    Sep 21, 2015

    Hi,

    you can retrieve CN value of memberof attribute with a variable assign:

     

    if { [info exists "groups"] }{unset groups;};
foreach value [mcget {session.ad.last.attr.memberOf}] {
regexp {CN=([^,]+)} $value CNFull CNValue;
lappend groups $CNValue;
unset CNFull;
unset CNValue;
};
return $groups

     

    This tcl code will split groups, search the first CN in each group and create a new multivalued variable.

    With a group named CN=My Group Name, CN=Users, OU=IT, DC=company, DC=local

    • variable CNFull contains the group name as CN=My group Name
    • variable CNValue contains the group name as My group Name