Lab 2.5 - Creating an APM Policy - LDAP

PUA requires a Directory Service to authenticate users. In this section you will build an LDAP macro to perform the authentication function.

Task - Build an LDAP macro

Note

This lab makes use of APM macros to make policies easy to view and manage.

The LDAP macro will verify that the requesting user has a valid account and the appropriate group permission.

  1. Click the Add New Macro button

    image30

  2. Give the macro a name and click Save

    image31

  3. Open the newly created macro by clicking the plus sign by the name: Macro: LDAP_Query

    image32

  4. Modify the macro by clicking the plus sign

    image33

  5. Select the Authentication tab, select the LDAP Query agent, and then click Add Item

    image34

  6. Update the Properties tab by modifying the Server, SearchDN, SearchFilter, and Fetch Groups settings

    • Server = /Common/prebuilt-f5lab.local
    • SearchDN = DC=f5lab,DC=local
    • SearchFilter = UserPrincipalName=%{session.custom.ephemeral.upn}
    • Fetch groups to which the user or group belong = Direct

    image35

  7. Click on the Branch Rules tab. Next, delete the branch rule by clicking X button beside User Group Membership

    image36

  8. Click Add Branch Rule

    image37

  9. Enter LDAP Passed in the Name field and click the Change link

    image38

  10. Click the Add Expression button

    image39

  11. Change the Context setting to LDAP Query and the Condition setting to LDAP Query Passed. Ensure that LDAP Query has is set to Passed. Then click Add Expression

    image130

  12. Click Finish, and then click Save

    image131

  13. Now add a Message Box agent to alert when the LDAP query fails. Click on the plus sign on the fallback branch (between the LDAP Query and the Out terminal)

    image132

  14. Select the General Purpose tab, then select Message Box in the main section, and click the Add Item button

    image133

  15. Enter the following values for the message box agent, then click Save

    Name: LDAP Failure
Message: LDAP Failure for user %{UserPrincipalName}

    image134

  16. Click the Edit Terminals button to change the terminals to report Success and Failure

    image136

  17. Change the Name from Out to Success, and then click the Add Terminal button

    image137

  18. Change the name from Terminal 1 to Failure, and then click on Save

    image138

  19. Click the Success terminal beside the LDAP Failure action branch

    image139

  20. Change the setting from Success to Failure, and click Save

    image230

Note

Here is the completed macro.

image135