Lab 2.5 - Creating an APM Policy - LDAP ------------------------------------------------ PUA requires a Directory Service to authenticate users. In this section you will build an LDAP macro to perform the authentication function. Task - Build an LDAP macro ~~~~~~~~~~~~~~~~~~~~~~~~~~ .. note:: This lab makes use of APM macros to make policies easy to view and manage. The LDAP macro will verify that the requesting user has a valid account and the appropriate group permission. #. Click the **Add New Macro** button |image30| #. Give the macro a **name** and click **Save** |image31| #. Open the newly created macro by clicking the plus sign by the name: **Macro: LDAP_Query** |image32| #. Modify the macro by clicking the plus sign |image33| #. Select the **Authentication** tab, select the **LDAP Query** agent, and then click **Add Item** |image34| #. Update the **Properties** tab by modifying the **Server**, **SearchDN**, **SearchFilter**, and **Fetch Groups** settings - Server = **/Common/prebuilt-f5lab.local** - SearchDN = **DC=f5lab,DC=local** - SearchFilter = **UserPrincipalName=%{session.custom.ephemeral.upn}** - Fetch groups to which the user or group belong = **Direct** |image35| #. Click on the **Branch Rules** tab. Next, delete the branch rule by clicking **X** button beside **User Group Membership** |image36| #. Click **Add Branch Rule** |image37| #. Enter **LDAP Passed** in the **Name** field and click the **Change** link |image38| #. Click the **Add Expression** button |image39| #. Change the **Context** setting to **LDAP Query** and the **Condition** setting to **LDAP Query Passed**. Ensure that **LDAP Query has** is set to **Passed**. Then click **Add Expression** |image130| #. Click **Finish**, and then click **Save** |image131| #. Now add a **Message Box** agent to alert when the LDAP query fails. Click on the plus sign on the **fallback** branch (between the **LDAP Query** and the **Out** terminal) |image132| #. Select the **General Purpose** tab, then select **Message Box** in the main section, and click the **Add Item** button |image133| #. Enter the following values for the message box agent, then click **Save** .. code-block:: console Name: LDAP Failure Message: LDAP Failure for user %{UserPrincipalName} |image134| #. Click the **Edit Terminals** button to change the terminals to report Success and Failure |image136| #. Change the Name from **Out** to **Success**, and then click the **Add Terminal** button |image137| #. Change the name from **Terminal 1** to **Failure**, and then click on **Save** |image138| #. Click the **Success** terminal beside the **LDAP Failure** action branch |image139| #. Change the setting from **Success** to **Failure**, and click **Save** |image230| .. note:: Here is the completed macro. |image135| .. |image30| image:: /_static/module2/image030.png .. |image31| image:: /_static/module2/image031.png .. |image32| image:: /_static/module2/image032.png .. |image33| image:: /_static/module2/image033.png .. |image34| image:: /_static/module2/image034.png .. |image35| image:: /_static/module2/image035.png .. |image36| image:: /_static/module2/image036.png .. |image37| image:: /_static/module2/image037.png .. |image38| image:: /_static/module2/image038.png .. |image39| image:: /_static/module2/image039.png .. |image130| image:: /_static/module2/image130.png .. |image131| image:: /_static/module2/image131.png .. |image132| image:: /_static/module2/image132.png .. |image133| image:: /_static/module2/image133.png .. |image134| image:: /_static/module2/image134.png .. |image135| image:: /_static/module2/image135.png .. |image136| image:: /_static/module2/image136.png .. |image137| image:: /_static/module2/image137.png .. |image138| image:: /_static/module2/image138.png .. |image139| image:: /_static/module2/image139.png .. |image230| image:: /_static/module2/image230.png