Forum Discussion
AD QUERY FOR APM POLICY
Hi, How can i specify the group a user must be a member of in the AD query component of the APM policy on the F5. It seems like there has to be a format for the specification of the group on the AD query. Please i need help on this.
- Yoann_Le_Corvi1Cumulonimbus
Hi,
Are you talking about the Branch Rule ?
Normally, in the AD Query, you can create a Banch Rule that sets :
Context: AD Query
Condition: User is Member Of
DN: CN=MY_GROUP, CN=Users, DC=MY_DOMAIN
It should be really straighforward.
Yoann
- OreoluwaAltocumulus
Yes i know this format of the AD query is what is default on the F5 APM however, it does not work. That is, the users in the group i specified in this DN are not seeing what they are expected to see on their portal access. They still what every other user sees on the webtop.
- Yoann_Le_Corvi1Cumulonimbus
Hmm,
You confirm that the DN entered there matches the distinguished name attribute in Active Directory Object editor for the user group in question ?
Also, we occasionally hit limitation when the number of group the user belongs to is to big. Could that be your case ?
Yoann
Can you see and confirm from the APM debug logs whether those users are going through the expected branch or whether they hit another one?
- OreoluwaAltocumulus
Hi guys, so i found that there was am ad group resource assignment where i could specify groups i have imported from the Actice Directory to the F5. This has worked on my lab and i have different portal views foe different groups of users. However, at a production site, the import of groups is failing. Showing an error unable to import group. I have confirmed that the F5 can reach the AD and query it. It just doesnt import the groups. Any solution to this please??
- Marco_LeiAltostratus
Hi,
Have you tried to use the same user in APM AD server config to query the AD server by "ldapsearch" in command line?
Also, F5 will send request to port 88 of AD server when you configured AD in "Active Directory" section, but if LDAP is used to configure AD, F5 will send request to port 389 or 636. Hope this helps.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com