Forum Discussion

rwagner1's avatar
rwagner1
Icon for Nimbostratus rankNimbostratus
Oct 18, 2017

iRule help needed

We have an iRule that will only send a group starting with the name Kaltura. for our SAML setup. They have now decided they want to add role based authentication, however it has to have a different attribute. We currently use the AD attribute MemberOf which has all groups. What we are hoping to do is to send the Kaltura. through as MemberOf but send ADMINKaltura. through as "Role". Since both are MemberOf attribute the dilemma is how to send ADMINKaltura. as role. Here is the current iRule.

when ACCESS_POLICY_AGENT_EVENT { if { [ACCESS::policy agent_id] eq "extract_cn" } { set default_group "ORT All Users" short_list is where we will store the abbreviated list of groups set short_list [list] set groups [ACCESS::session data get session.ad.last.attr.memberOf] log local0. "Original groups: $groups"

foreach some_group [split $groups "|"] {
     log local0. "Evaluating CN: $some_group"

     take notice of the leading spaces of the CN match..
    switch -glob -- $some_group {
        " CN=Kaltura*"  {
            regexp {CN=([^,]+)} $some_group CNFull CNValue
             log local0. "Adding to short_list: --$some_group"
             log local0. "FULL: $CNFull  Value:  $CNValue"
            lappend short_list $CNValue
            unset CNFull;
            unset CNValue;
        }
        default {
             log local0. "No group found.."
        }
    }
}
if { [llength $short_list] == 0 } {
    lappend short_list $default_group
    log local0. "Using default $default_group"
}
ACCESS::session data set session.ad.last.attr.shortlist "$short_list"
 log local0. "ShortList: [ACCESS::session data get session.ad.last.attr.shortlist]"

} }

No RepliesBe the first to reply