Forum Discussion

Oreoluwa's avatar
Icon for Altocumulus rankAltocumulus
Sep 16, 2020


Hi, How can i specify the group a user must be a member of in the AD query component of the APM policy on the F5. It seems like there has to be a format for the specification of the group on the AD query. Please i need help on this.

8 Replies

  • Hi,


    Are you talking about the Branch Rule ?

    Normally, in the AD Query, you can create a Banch Rule that sets :

    Context: AD Query

    Condition: User is Member Of



    It should be really straighforward.



    • Oreoluwa's avatar
      Icon for Altocumulus rankAltocumulus

      Yes i know this format of the AD query is what is default on the F5 APM however, it does not work. That is, the users in the group i specified in this DN are not seeing what they are expected to see on their portal access. They still what every other user sees on the webtop.

  • Hmm,


    You confirm that the DN entered there matches the distinguished name attribute in Active Directory Object editor for the user group in question ?

    Also, we occasionally hit limitation when the number of group the user belongs to is to big. Could that be your case ?



  • Can you see and confirm from the APM debug logs whether those users are going through the expected branch or whether they hit another one?

    • Oreoluwa's avatar
      Icon for Altocumulus rankAltocumulus

      Hi guys, so i found that there was am ad group resource assignment where i could specify groups i have imported from the Actice Directory to the F5. This has worked on my lab and i have different portal views foe different groups of users. However, at a production site, the import of groups is failing. Showing an error unable to import group. I have confirmed that the F5 can reach the AD and query it. It just doesnt import the groups. Any solution to this please??

      • Marco_Lei's avatar
        Icon for Altostratus rankAltostratus



        Have you tried to use the same user in APM AD server config to query the AD server by "ldapsearch" in command line?


        Also, F5 will send request to port 88 of AD server when you configured AD in "Active Directory" section, but if LDAP is used to configure AD, F5 will send request to port 389 or 636. Hope this helps.