Lab 2.5 - Creating an APM Policy - LDAP

PUA requires a Directory Service to authenticate users. In this section you will build a LDAP macro to perform the authentication function.

Task - Build a LDAP macro

Note

This lab makes use of APM macros to make policies easy to view and manage.

The LDAP macro will verify that the requesting user has a valid account and the appropriate group permission.

  1. Click the Add New Macro button

    image30

  2. Enter LDAP_Query for the and click Save

    image31

  3. Open the newly created macro by clicking the plus sign by the name: Macro: LDAP_Query

    image32

  4. Add the LDAP Query action by clicking the plus sign

    image33

  5. Select the Authentication tab, select the LDAP Query agent, and then click Add Item

    image34

  6. Update the Properties tab by modifying the Server, SearchDN, SearchFilter, and Fetch Groups settings

    • Server = /Common/ldap-servers
    • SearchDN = DC=f5lab,DC=local
    • SearchFilter = UserPrincipalName=%{session.custom.ephemeral.upn}
    • Fetch groups to which the user or group belong = Direct

    image35

  7. Click on the Branch Rules tab to edit the Branch Rules

  8. Click the X button beside User Group Membership. This will delete the branch

    image36

  9. Click Add Branch Rule

    image37

  10. Enter LDAP Query in the Name field and click the change link

    image38

  11. Click the Add Expression button

    image39

  12. Change the Context setting to LDAP Query and the Condition setting to LDAP Query Passed. Ensure that LDAP Query has is set to Passed. Click th

    image130

  13. Click the Add Expression button

    image131

  14. Click Finish, and then click Save

  15. Now add a Message Box agent to alert when the LDAP query fails. Click on the plus sign on the fallback branch (between the LDAP Query and the OUT terminal)

    image132

  16. Select the General Purpose tab and then select Message Box in the main section, and Click the Add Item button

    image133

  17. Enter the following values for the message box agent, and Click on the Save button

    Name:    **LDAP Failure**
Message: **LDAP Failure for user %{UserPrincipalName}**

    image134

  18. Click on the Edit Terminals button to change the terminals to report Success and Failure

    image136

  19. Change the Name from out to Success, and then click on the Add Terminal button

    image137

  20. Change the name from Terminal 1 to Failure, and then click on Save

    image138

  21. Click the terminal for the LDAP Failure branch

    image139

  22. Change the setting from Success to Failure. and click Save

    image1130

  23. Click Save

Here is the completed macro.

image135