Use session.ldap.last.attr.userPrincipalName in an iRule

Question

Hello,&nbsp;
In an iRule, I want to compare the userPrincipalName fetched from LDAP with the DN of an SSL certificate.&nbsp;
I have successfully extracted the email address from the certificate in a variable.  That part is working fine.&nbsp;
Now I'm not able to use the session variable called "session.ldap.last.attr.userPrincipalName" to do my comparison.&nbsp;
I tried this:&nbsp;
set myupn [ACCESS::session data get "session.ldap.last.attr.userPrincipalName"]
  log local0. "UPN VALUE is $myupn"&nbsp;
... but the variable $myupn remains empty.&nbsp;
For the sake of troubleshooting, in the above code, I tried to access session.logon.last.logonname, and in that case it works. &nbsp;
In the list of variables of the access policy, I see that "session.ldap.last.attr.userPrincipalName" is there and populated with the expected value.&nbsp;
How can I access the value of session.ldap.last.attr.userPrincipalName properly?&nbsp;
Thank you in advance.&nbsp;
Best Regards,&nbsp;

stanislas_piro2 · Answer

Hi,
are you sure the userPrincipalName is fetched by the LDAP query?
I recommend to do this check with variable assign instead of irule. 
session.custom.result ==
expr {[mcget {session.ldap.last.attr.userPrincipalName}] == [mcget {session.cert.UPN}]}

this will return 1 if same value, 0 if different.

Forum Discussion

Use session.ldap.last.attr.userPrincipalName in an iRule

1 Reply

Recent Discussions

google-visualization-issues

The best load balance method on this scenario?

SMS server with BIGIP

Geo Fence in ASM through irule for URI

Client certificate Authentication - open multiple tabs

Related Content

iRules Style Guide

Hey ChatGPT, can you write iRules?

POC: Validate JWT with iRule

iRules Editor with Visual Studio Code

Decrypting BIG-IP Packet Captures without iRules