Layer7 API Management

Hi All,

I have a use case in which we are trying to do authentication and authorization using LDAP. In the LDAP an username can be part of multiple groups.

mc_adgroup = {String[]} size = 2  (First LDAP groups)
[0] = {String} "cn=grp-consumer-company-edwb2c-stg,ou=groups,ou=security,o=company WorldWide,dc=company,dc=com"
[1] = {String} "cn=grp-consumer-unauthorized-grp,ou=groups,ou=security,o=company WorldWide,dc=company,dc=com"

_mc_groups = {String[]} size = 2  (Second LDAP group)
[0] = {String} "cn=grp-consumer-company-edwb2c-stg,ou=groups,ou=security,o=company WorldWide,dc=company,dc=com"
[1] = {String} "cn=grp-consumer-another-authorized-grp,ou=groups,ou=security,o=company WorldWide,dc=company,dc=com"

When I tried to compare both variable using compare variable ( pass any value match) since _mc_group[0] is matching the compare variable should give success; however it's getting failed.

Any thoughts from anyone?

Can you describe how you configured your compare variable assertion? Which settings did you use?

Both _mc_adgroup and _mc_groups ( I am getting this value from  the LDAP atttibute ibm-all-groups). Idea was as long it matches single value it should pass.

I don't think you could compare two arrays (Multivalued variables) this way. As far as I know it will only check against each element of _mc_adgroup. I think the contains part of the rule will try to match the full array against those elements, if it matches anything at all.

So the right approach in my opinion would be to do the compare for each element of _mc_groups. If the number of elements is fixed, you could do it hardcoded with multiple compares. If the number of elements can change, you should look at the Run Assertions for Each Item Assertion - CA API Gateway - 9.3 - CA Technologies Documentation  assertion to build a loop to process all elements.

Thanks I had to use run each item assertion for both LDAP search and once it match I had to break the loop.