Forum Discussion

M_Petr's avatar
M_Petr
Icon for Altostratus rankAltostratus
Sep 05, 2019

AD MemberOF

Hi everyone, Please answer me a question and explain:

 

Is it possible to change to what URL it is forwarding on request to f5 depending on the user's membership in the AD group?

 

Thanks!

  • Hello, if the AD auth or AD query fails the session variable for memberOf will not be populated. In the AAA server object do you have an Administrator account configured? Are you sure the credentials for the user (or admin account in the AAA configuration) are correct?

  • Hi Petr,

     

    Yes you can do It using APM following this steps:

     

    You have to create a policy per session policy and of course a per request session in order to check each request (URI).

    The per request policy let your analyse every user request...

     

    Let me know if you need more details.

    regards

    • M_Petr's avatar
      M_Petr
      Icon for Altostratus rankAltostratus

      Hi, I have a problem.

      When I add :

      • Logon page
      • AD auth

      It's OK! Authentication is successed.

      But if I add

      • Logon page
      • AD auth
      • AD query with (expr { [mcget {session.ad.last.attr.memberOf}] contains "CN=GroupPod1" })

      I get a message -

      "AD module: query with '(sAMAccountName=userpod1)' failed: Preauthentication failed, principal name: ldap_user@CORP.AVALIS.CO.UA. Invalid user credentials. (-1765328360)"

      And I dont see {session.ad.last.attr.memberOf} in the REPORTS.

       

      What do you think?

      Thanks!

       

  • Hello, if the AD auth or AD query fails the session variable for memberOf will not be populated. In the AAA server object do you have an Administrator account configured? Are you sure the credentials for the user (or admin account in the AAA configuration) are correct?

    • M_Petr's avatar
      M_Petr
      Icon for Altostratus rankAltostratus

      Thank you, the Administrator account is configured incorrectly.