Skip to main content

F5 APM: Convert attribute values

Status

The problem with APM LDAP auth is that LDAP-attributes with values of ASCII chars can be used in further scripts without problems.
If you have some UTF8 characters in the value the F5 APM will convert the string to a HEX-string:

Aus dem F5 Manual: https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-on-11-5-0/5.html

About how APM handles binary values in LDAP attributes

For LDAP, Access Policy Manager (APM) converts an attribute value to hex only if the value contains unprintable characters.
f the session variable contains several values, and one or more of those values is unprintable, then APM converts only those particular values to hex.

Case 1:

Handling of attributes with single value:

9302eb80.session.ldap.last.attr.objectGUID 34 / 0xfef232d3039be9409a72bfc60bf2a6d0

Case 2:

Handling of attributes with multiple values (mix of binary and non-binary values):

29302eb80.session.ldap.last.attr.memberOf 251 | / CN=printable group,OU=groups,OU=someco,DC=smith, \
/ DC=labt,DC=fp,DC=somelabnet,DC=com | / 0x434e3d756e7072696e7461626c6520c2bdc2a12067726f75702c4f553d67726f7570732c4f553d66352c \
/ 44433d73686572776f6f642c44433d6c6162742c44433d66702c44433d66356e65742c44433d636f6d |

Possible solution

Devcentral: https://devcentral.f5.com/questions/looking-for-irule-to-convert-non-ascii-character-to-ascii

In 12.0.0

ID 399693:

It is now possible to use the -decode option for mcget command of a branch rule to decode a session variable before using it.
When you create an agent and add a branch rule, the default value of the rule contains an mcget command to fetch the session variable. By default, the session variable is HEX encoded if it contains non-ASCII characters.
You need to modify the command in advanced mode and insert the -decode option for mcget command, for example:

expr { [mcget -decode {session.ad.last.attr.memberOf}] contains "non-ASCII-characters" }