Forum Discussion

markj_58101's avatar
markj_58101
Icon for Nimbostratus rankNimbostratus
Feb 19, 2016

AD query search filter

I'm trying to use the AD Query Search Filter feature on APM and having some issues with it. Below is my search:

 

expr { [mcget {session.ad.last.attr.memberOf}] contains "CN=Test" }

 

I'm getting this error on the APM which seems to indicate a possible syntax error:

 

Session variable 'session.ad.last.errmsg' set to 'Bad search filter, base: dc=Testdomain,dc=INT, scope: 2, filter: expr { [mcget {session.ad.last.attr.memberOf}] contains "CN=Test" }'

 

Has anybody got this feature working?

 

Thanks

 

APM
devops
security

6 Replies

Sort By
  • amolari's avatar
    amolari
    Icon for Cirrus rankCirrus
    Feb 19, 2016

    LDAP query filter are in LDAP format, not TCL.

     

    Example: (&(st=WA)(title=*Engineer*))

     

    other examples

     

  • markj_58101's avatar
    markj_58101
    Icon for Nimbostratus rankNimbostratus
    Feb 19, 2016

    Thanks, I did try with the % also but that didn't work either:

     

     

    Still get the 'Bad search filter, in the logs.

     

  • MichaelatF5's avatar
    MichaelatF5
    Icon for Employee rankEmployee
    Feb 19, 2016

    From what I can tell, you are setting your search filter to a string, not a comparison. So it has no way to filter. SearchFilter = ().

     

    https://msdn.microsoft.com/en-us/library/windows/desktop/aa746475(v=vs.85).aspx

     

    For example, if you were searching for a user, you would use a specific attribute to compare (sAMAccountName=%{session.custom.samaccountname}). As long as you enable memberOf in the query, it will retrieve the group memberships and auto populate the session.ad.last.attr.memberOf session variable for you.

     

    If you are trying to make sure that the authenticated user is a member of a specific group, you would want to set a query filter to (memberOf=CN=Test....). You could also just use AD Group Resource assign.

     

    https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-on-11-5-0/3.html

     

  • markj_58101's avatar
    markj_58101
    Icon for Nimbostratus rankNimbostratus
    Feb 20, 2016

    Thanks to everyone for all the help which was great. Michael got me in the right direction, I needed to put my query under the advanced branch rules section. As everyone else pointed out as well, the search filter field is for the LDAP query. There is actually a pre-built in condition which allows you to do this which I didn't see before (because I was looking at the search filter field as I thought that's where I needed to put it)

     

    Example below:

     

     

     

    Michael, I have used the AD group resouce assign for other functions but for this I just wanted to verify if a user was in a specific group before that could access a specific resurce. Didn't want any dynamic allocation etc.

     

    Thanks for all the answers from the other posters.

     

    • AN's avatar
      AN
      Icon for Nimbostratus rankNimbostratus
      Jan 24, 2017

      Can I achieve same after kerberos authetication? I tried putting AD query after kerbero auth and variable assignment. AD Query search filter %{session.sso.token.last.username} and I found following:

       

      bigip info apmd[28998]: 01490007:6: /frontend/f5-kerberos:frontend:8e2e231e: Session variable 'session.logon.last.domain' set to 'DOMAIN1.DOMAIN.COM' bigip info apmd[28998]: 01490007:6: /frontend/f5-kerberos:frontend:8e2e231e: Session variable 'session.sso.token.last.username' set to 'user1' bigip info apmd[28998]: 01490007:6: /frontend/f5-kerberos:frontend:8e2e231e: Session variable 'userPrincipalName' set to 'user1' bigip info apmd[28998]: 01490004:6: /frontend/f5-kerberos:frontend:8e2e231e: Executed agent '/frontend/f5-kerberos_act_message_box_ag', return value 0 bigip info apmd[28998]: 01490006:6: /frontend/f5-kerberos:frontend:8e2e231e: Following rule 'fallback' from item 'Message Box' to item 'AD Query' bigip debug apmd[28998]: 01490011:7: /frontend/f5-kerberos:frontend:8e2e231e: AD agent: ENTER Function executeInstance bigip debug apmd[28998]: 01490231:7: /frontend/f5-kerberos:frontend:8e2e231e: AD Agent: Configured to use /frontend/AAA-Servers as a server bigip debug apmd[28998]: 01490023:7: /frontend/f5-kerberos:frontend:8e2e231e: AD module: ENTER Function queryActiveDirectory bigip err apmd[28998]: 01490107:3: /frontend/f5-kerberos:frontend:8e2e231e: AD module: query with 'user1' failed: empty password detected (-1) bigip debug apmd[28998]: 01490111:7: /frontend/f5-kerberos:frontend:8e2e231e: AD module: authenticate(): empty password detected (-1) bigip debug apmd[28998]: 01490024:7: /frontend/f5-kerberos:frontend:8e2e231e: AD module: LEAVE Function queryActiveDirectory bigip info apmd[28998]: 01490019:6: /frontend/f5-kerberos:frontend:8e2e231e: AD agent: Query: query with 'user1' failed bigip info apmd[28998]: 01490162:6: /frontend/f5-kerberos:frontend:8e2e231e: Username used for authentication contains domain information. Please enable 'Split domain from full Username' option in Logon Page if domain info should be separated from username for authentication to work properly. bigip debug apmd[28998]: 01490012:7: /frontend/f5-kerberos:frontend:8e2e231e: AD agent: LEAVE Function executeInstance bigip info apmd[28998]: 01490004:6: /frontend/f5-kerberos:frontend:8e2e231e: Executed agent '/frontend/f5-kerberos_act_active_directory_query_ag', return value 0 bigip notice apmd[28998]: 01490005:5: /frontend/f5-kerberos:frontend:8e2e231e: Following rule 'fallback' from item 'AD Query' to ending 'Deny' bigip notice apmd[28998]: 01490102:5: /frontend/f5-kerberos:frontend:8e2e231e: Access policy result: Logon_Deny bigip info apmd[28998]: 01490004:6: /frontend/f5-kerberos:frontend:8e2e231e: Executed agent '/frontend/f5-kerberos_end_deny_ag', return value 0