Forum Discussion
5 Replies
you can use tcl in a variable assign VPE to make this work
some more info on splitting
- Stanislas_Piro2Cumulonimbus
Hi,
you can use this code:
session.ad.last.attr.memberOfLite if { [info exists "groups"] }{unset groups;}; foreach value [mcget {session.ad.last.attr.memberOf}] { regex {(CN=[^,]+)} $value CNFull CNValue; lappend groups $CNValue; unset CNFull; unset CNValue; }; return $groups
- JGCumulonimbus
Stanislas' works with spaces in CN, for I have just tested it with tclsh. If you are running v11.6.1, there is an issue "512130-4 : Remote role group authentication fails with a space in LDAP attribute group name", which has been addressed in HF2 that's just been released on the weekend. See its release notes.
- brad_11480Nimbostratus
This seems that it might address the issue I'm trying to solve.
I set up a SAML/SSO and they want me to provide the list of AD groups. so I'm sending them the session.ad.last.attr.memberOf array in the response.
But this contains much, much, more than the service provider needs or probably should be shared with them.
It looks like this code will go through each entry of the array and creating a modified result. So if I add the check to see if it matches the type of membership string they are looking for I could limit it to only those?!
I think it would be better if the AD request could be filtered to only return to me those items, and if that is possible it would be preferred, but I haven't found anything to do that type of operation (and would be grateful if there is someone who knows if there is).
Basically want to return a modified result which is the same as the session.ad.last.attr.memberOf array with only the array members that match. Any ideas? Go! (and thanks).
- brad_11480Nimbostratus
figured a good method for a filtered list:
set list "|"; foreach element [split [mcget {session.ad.last.attr.memberOf}] "|"] { if { $element contains "XYZ"}{ append list "$element | "; } } return $list; `
Returns all groups that contain string XYZ Now adding some of the logic above to limit the return to only CN= of each group entry:
` set list "|"; foreach element [split [mcget {session.ad.last.attr.memberOf}] "|"] { regexp {CN=([^,]+)} $element CNFull CNValue; if { $CNValue contains "IS&T"}{ append list " $CNFull |"; } } return $list;
(or append $CNValue if the CN= isn't wanted/needed in the resulting list).