11.5.1 to 11.6.0 HF 4 - APM - Failing Active Directory Query
In moving from 11.5.1 to 11.6.0 HF4 I've come to find that my APM Active Directory query has broken. The SearchFilter I'm creating is based upon the Subject of a client PKI certificate which is then parsed and the AD search filter is then dynamically generated. This was allowing for Active Directory accounts which had certificates mapped to them to be matched up against the certificate that the user supplied and then Kerberos authentication was used.
As background, the client certificate is grabbed on another Authentication VIP where session table entries are created containing the users certificate info. This APM Profile uses those session table entries and so doesn't have direct access to the user's certificate.
For example a user supplies a certificate with the following data when they connect:
Certificate Subject
CN = cn-value1
OU = ou-value1
OU = ou-value2
OU = ou-value3
O = o-value1
C = c-value1
An APM iRule Event is triggered which parses the subject information of the users cert and sets the APM session variable session.custom.ldapsearchuserCert
session.custom.ldapsearchuserCert = (&(userCertificate=*cn-value1*)(userCertificate=*ou-value1*)(userCertificate=*ou-value2*)(userCertificate=*ou-value3*)(userCertificate=*o-value1*)(userCertificate=*c-value1*)(objectClass=user)(objectCategory=person))
APM Active Directory Query:
SearchFilter is set to %{session.custom.ldapsearchuserCert}
I have validated that APM session variable is as expected. Looking in /var/log/apm I see errors indicating an invalid search filter and this is what it logs:
AD module: query with '\28&\28userCertificate=\2acn-value1\2a\29\28userCertificate=\2aou-value1\2a\29\28userCertificate=\2aou-value2\2a\29\28userCertificate=\2aou-value3\2a\29\28userCertificate=\2ao-value1\2a\29\28userCertificate=\2ac-value1\2a\29\28objectClass=user\29\28objectCategory=person\29\29' failed: Bad search filter
So it looks like APM is now doing some conversions on the string before making the query, is there an easy fix to this?
Thanks