iRule help needed
We have an iRule that will only send a group starting with the name Kaltura. for our SAML setup. They have now decided they want to add role based authentication, however it has to have a different attribute. We currently use the AD attribute MemberOf which has all groups. What we are hoping to do is to send the Kaltura. through as MemberOf but send ADMINKaltura. through as "Role". Since both are MemberOf attribute the dilemma is how to send ADMINKaltura. as role. Here is the current iRule.
when ACCESS_POLICY_AGENT_EVENT { if { [ACCESS::policy agent_id] eq "extract_cn" } { set default_group "ORT All Users" short_list is where we will store the abbreviated list of groups set short_list [list] set groups [ACCESS::session data get session.ad.last.attr.memberOf] log local0. "Original groups: $groups"
foreach some_group [split $groups "|"] {
log local0. "Evaluating CN: $some_group"
take notice of the leading spaces of the CN match..
switch -glob -- $some_group {
" CN=Kaltura*" {
regexp {CN=([^,]+)} $some_group CNFull CNValue
log local0. "Adding to short_list: --$some_group"
log local0. "FULL: $CNFull Value: $CNValue"
lappend short_list $CNValue
unset CNFull;
unset CNValue;
}
default {
log local0. "No group found.."
}
}
}
if { [llength $short_list] == 0 } {
lappend short_list $default_group
log local0. "Using default $default_group"
}
ACCESS::session data set session.ad.last.attr.shortlist "$short_list"
log local0. "ShortList: [ACCESS::session data get session.ad.last.attr.shortlist]"
} }