This relates to a migration from 3.8 to 4G. The 3.8 implementation has a simple sequence of 2 LDAP policies in succession that need to be duplicated in 4G, using the 4G Ldap Policy. The Ldap being used is Active Directory, and the users being challenged are from the Runtime stream (not administrators).
The first Ldap policy executes an authentication, both 3.8 and 4G policies operate similarly. The second Ldap policy executes an authorization, searching a specified cn name (a group id) for membership by the user. In the 3.8 case, searching for a member in a bogus group will generate a failure in the policy and set a variable that is queried for logging. Any users not in the specified group are permitted to complete the request, but they are logged as being not in the group. I.e., the Search is successful, but returns a null result set that can be queried in the flow.
In 4G, the search also succeeds, however, but there is no indication of a null result set. Nothing shows up in any variables, which could then be used to trigger the appropriate logging.
- Is there a way to access the needed result set information we are not aware of (and what would that be)?
- If not, is there an alternative solution we can employ (e.g., a javascript we could modify to perform the query and needed evaluation)?
Thank you for your help