Forum Discussion
AD LDAP Authentication fails with mail as username
We are migrating from OID to AD LDAP. Oracle password works fine. Tried to replicate the configuration for AD LDAP. All is the same with the exceptions of a query at the beginning. The LDAP team is telling me they use userpassword attribute...I have also configured it to look for that attribute but it failed with invalid credentials.
Oracle LDAP Auth OBJECT
Search FIlter
mail=%{session.logon.last.username}
Variable Assign session.custom.uid = expr { [ mcget {session.logon.last.username}]}
IF AUTH PASSES Variable Assign session.custom.mechanism = expr { "password" }
AD LDAP Query OJBECT
Search FIlter mail=%{session.logon.last.username}
require attribute mail Variable Assign session.custom.uid = expr { [ mcget {session.logon.last.username}]}
AD LDAP Auth OJBECT
Search FIlter mail=%{session.logon.last.username}
IF AUTH PASSES Variable Assign session.custom.mechanism = expr { "password" }
It will fail auth, so the variable assign password never triggers.
Thank you for any assistance
It seems you have a curly brace too many.
Instead of:
expr { [mcget -secure {session.logon.last.password}] equals { [mcget {session.ldap.last.attr.userPassword}]}
Try:
expr { [mcget -secure {session.logon.last.password}] equals [mcget {session.ldap.last.attr.userPassword}]}
- gavin84_31753Nimbostratus
To add a little more info. We now have the same search criteria, however, we removed the Auth and are only doing LDAP Query requiring mail and userPassword attributes. We then will do a comparison using expr { [mcget -secure {session.logon.last.password}] equals { [mcget {session.ldap.last.attr.userPassword}]} . The userPassword attribute has the password we are looking to authenticate against.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com