Dynamic group mapping via LDAP groups AND URI landings

Question

I want to offer several service levels on my Firepass.  In fact I do currently but each to different audiences.  I currently define levels of service with Master Groups linked to the specific resource groups they are related to.  I now want users to access a given resource group by using landing URIs.  An example:   
&nbsp;  
&nbsp; Customer Bob connects to https://mysite/vpn and a master group mapping entry (the first in the list) identifies that Bob is in the LDAP group allowing access to the master group configured to allow access on the URI landing /vpn.   
&nbsp;  
&nbsp; I ALSO want Bob to be able to connect to https://mysite/ and be served a webmail webtop, even though he is authorized to obtain more privilege if he connects via the /vpn landing, and this doesn't work for me.   
&nbsp;  
&nbsp; At first I assumed (hoped) that by defining a master group for the VPN access and then relying on a fallback master group setting to provide the webmail webtop, that everything would work ok.  It doesn't seem to work that way.  When I do an LDAP (group object) lookup in the master group mapping table it does not appear to take the landing URI into consideration until after the group has been mapped and then the group says "hey, I'm only accessible from the /vpn landing and that's not what this user requested."   
&nbsp;  
&nbsp; It seems that for me one solution would be to have a master group mapping comprised of LDAP (group object) AND URI Landing.  That way I could say user Alice on landing /vpn gets this master group, whereas Alice on landing / gets this other master group.   
&nbsp;  
&nbsp; I am probably missing another way to configure what I'm looking for and I just haven't found it yet.  Ideas?   
&nbsp;  
&nbsp; I did see that I can configure a resource mapping table in the master group configuration, but I don't see a way to launch a webtop based on a given resource mapping like you can with master group web application intranet webtops mappings.   
&nbsp;  
&nbsp; Firepass 6.0.2

mal_57091 · Answer

Hey Mike, 
&nbsp;  
&nbsp; I think the solution you have is the only one to use. Please let me explain....you absolute need to use Dynamic Master Group mapping based on Landing URI (as the Mapping Method) so you can say if anyone goes to /vpn then go to Master Group A, anyone who goes to /ssl go to Master Group B and so forth. 
&nbsp;  
&nbsp; The problem you have is what happens when they go to the root of the Web Server (/). In this case your mapping based on Landing URI's won't work because you potentially have different Master Groups that can access the base URI of web server so you need to map them more intelligently than just using landing URI. So in this case you can do your LDAP group lookups. However i would structure it such that in your Master Group Mapping table I would set the landing URI matches first and then the LDAP matches last. 
&nbsp;  
&nbsp; Perhaps are there session variables you can use to map Master Group based on? I had a previous customer where we ran a Prelogon Sequence that checked for a machine certificate (specific to corporate laptops). Then what we did was setup Dynamic Master Group mapping to use session variables and if the session variable showed the presence of the machine cert they got mapped to the Master Group for corporate users otherwise they go mapped to the Master Group for guests. Could you use a similar design? 
&nbsp;  
&nbsp; Yeap...in 6.0.1 and earlier you had to map users to Master Groups using a Global Master Group Mapping table and Resource Groups to Master Groups also using a Global Resource Group Mapping table. In 6.0.2, F5 introduced the ability for each Master Group to have its own Resource Group mapping method and table which is SOOOOOOO much better!!! This way all you need to do is configure your Master Group mapping and then configure all your Resource Group setitngs/mappings within the specific Master Group. You just need to enable Step 3 for Resource Group Mapping under Users -&gt; Groups -&gt; Dynamic Group Mapping -&gt; Group Mapping Sequence (tab) in the "Resource Groups Mapping Sequence" and turn off Step 1 in this section. 
&nbsp;  
&nbsp; The final thing is you need to enable the checkbox "Allow resource groups to be assigned using dynamic resource group mapping configured in this master group." on the General tab of each of the Master Groups that you want to run Resource Group mapping within. 
&nbsp;  
&nbsp; Hope this helps you out! 
&nbsp;  
&nbsp; Cheers, 
&nbsp; Mal

mike_ho · Answer

Mal, thank you once again for a very helpful and informed response!

Forum Discussion

Dynamic group mapping via LDAP groups AND URI landings

2 Replies

Recent Discussions

F5 Rseries HA

Error when running bigip_command Playbook against LTM : Syntax Error: unexpected argument /bin/sh\n

Can iRule be used to perform exception of IPI category based on Geolocation

Can iRule mask the payload content on event logs of security

minimum tmos software version for connect CIS (openshift)

Related Content

API Gateway Mapping - Gartner - F5

F5 TIC3.0 Capability Mappings

iRules Heat Map - US Only

F5 Network Map to Json with Python

Bigpipe Mappings