How to keep only the value of "CN" part in session.ldap.last.attr.memberOf

Question

Hi all,&nbsp;
I have been reading around here on devcentral and I did found some articles which I tried out , but I can't get this to work.
We have an ldap server which responds with group names, and we only want to keep the value of the first CN.
I have followed the article below, but when it runs, all I get is "Rule evaluation failed with error: can't read "Groups": no such variable". &nbsp;
Ref.: https://devcentral.f5.com/questions/how-to-get-group-name-cn-from-sessionadlastattrmemberof-51188&nbsp;
| CN=123456789,ou=customers,ou=Groups,dc=example,dc=com | CN=webapp,ou=applications,ou=Groups,dc=example,dc=com |&nbsp;
In the example above, I only want to keep the value of the first CN (123456789), and save that value to variable (which in turn I will use in a header for the backend). The CN value is different for each user.&nbsp;

stanislas_piro2 · Answer

Look at this article:
https://devcentral.f5.com/codeshare/apm-variable-assign-examples-1107
use this variable assign:
set group_name[split [lindex [mcget {session.ldap.last.attr.memberOf}] 0] ",="]; 
foreach {name value} $group_name{
    if {[string trim $name] equals "CN"} { 
        return [string trim $value]; 
    } 
}

kai_wilke · Answer

Hi Jim,
if your CN values MAY contain escaped comma signs (aka. $1 sequence), then use one of the code snippet(s) below. The snippet(s) will check for those escaped comma signs and take care of them...
Short but difficult to understand snipped:
set group_string [mcget "session.ldap.last.attr.memberOf "] ;
if { $group_string contains "\," } then {
    return [string map { "" "\," } [string range [set escaped_group_string [string map { "\," "" } $group_string]] [expr { [string first "CN=" $escaped_group_string] + 3 }] [expr { [string first "," $escaped_group_string] -1 }]]] ;
} else {
    return [string range $group_string [expr { [string first "CN=" $group_string] + 3 }] [expr { [string first "," $group_string] -1 }]] ;
} ;

Long but easy to understand snipped:
set group_string [mcget "session.ldap.last.attr.memberOf "] ;
if { $group_string contains "\," } then {
    set escaped_group_string [string map { "\," "" } $group_string];
    set string_start [expr { [string first "CN=" $escaped_group_string] + 3 }] ;
    set string_stop [expr { [string first "," $escaped_group_string] -1 }] ;
    set escaped_result_string [string range $escaped_group_string $string_start $string_stop] ;
    set result_string [string map { "" "\," } $escaped_result_string] ;
    return $result_string ;
} else {
    set string_start [expr { [string first "CN=" $group_string] + 3 }] ;
    set string_stop [expr { [string first "," $group_string] -1 }] ;
    set result_string [string range $group_string $string_start $string_stop] ;
    return $result_string ;
} ;

Cheers, Kai

Forum Discussion

How to keep only the value of "CN" part in session.ldap.last.attr.memberOf

2 Replies

Recent Discussions

import live updates from version x to version y

Tenant image upgrade

iRule editor partition button does not work

F5Access | MacOS Sonoma

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Related Content

Parsing F5 BIG-IP LTM DNS profile statistics and extracting values with Python

iRule HTML Maintenance Page insert URI Value

iRule Checking for No Value

Parameter Value - Regular Expression

APM & Azure AD Oauth : using JWT values