Forum Discussion
David_Stout
Nimbostratus
Sep 22, 2011AD Query not working - Edge v11.0
Hi guys ... in a major pickle here....
I have followed this guide but still can't get this working.
http://support.f5.com/kb/en-us/solutions/public/12000/100/sol12193.html
This is what's being logged in /var/log/apm
Sep 22 14:06:56 edge01 info apd[20821]: 01490006:6: 5a8f9d35: Following rule 'Successful' from item 'AD Auth' to item 'AD Query'
Sep 22 14:06:56 edge01 debug apd[20821]: 01490011:7: 5a8f9d35: AD agent: ENTER Function executeInstance
Sep 22 14:06:56 edge01 debug apd[20821]: 01490000:7: ./AccessPolicyProcessor/Session.h func: "getSessionVar()" line: 240 Msg: variable "session.logon.last.domain" was not found in the local cache for session "5a8f9d35"
Sep 22 14:06:56 edge01 debug apd[20821]: 01490000:7: ./AccessPolicyProcessor/Session.h func: "getSessionVar()" line: 247 Msg: try to get it from MEMCACHED
Sep 22 14:06:56 edge01 debug apd[20821]: 01490000:7: memcache.c func: "mc_convert_session_var_to_mc_key()" line: 831 Msg: Converted Var: session.logon.last.domain to Session Var tmm.session.5a8f9d35.session.logon.last.domain
Sep 22 14:06:56 edge01 debug apd[20821]: 01490000:7: ./AccessPolicyProcessor/Session.h func: "getSessionVar()" line: 262 Msg: variable "session.logon.last.domain" for session "5a8f9d35" was not found in MEMCACHED
Sep 22 14:06:56 edge01 debug apd[20821]: 01490023:7: 5a8f9d35: AD module: ENTER Function queryActiveDirectory
Sep 22 14:06:56 edge01 debug apd[20821]: 01490111:7: 5a8f9d35: AD module: verifyKrb5Cache(): Ticket cache: FILE:/var/run/krb5cc/Common/subdomain.domain.com_vip/krb5cc_0 Default principal: sc_edgegateway_ema@subdomain.domain.COM
Sep 22 14:06:56 edge01 debug apd[20821]: 01490111:7: 5a8f9d35: AD module: verifyKrb5Cache(): server realm:subdomain.domain.COM princ realm:subdomain.domain.COM server data[0]:krbtgt server data[1]:subdomain.domain.COM curr time: 1316700416 end time: 1316728077 Default principal: sc_edgegateway_ema@subdomain.domain.COM
Sep 22 14:06:56 edge01 debug apd[20821]: 01490027:7: 5a8f9d35: AD module: ldap_initialize() successful. URI:'ldap://10.236.64.50:389'
Sep 22 14:06:56 edge01 debug apd[20821]: 01490029:7: 5a8f9d35: AD module: ldap_sasl_interactive_bind_s() successful.
Sep 22 14:06:56 edge01 debug apd[20821]: 01490023:7: 5a8f9d35: AD module: ENTER Function queryActiveDirectoryUser
Sep 22 14:06:56 edge01 debug apd[20821]: 01490024:7: 5a8f9d35: AD module: LEAVE Function queryActiveDirectoryUser
Sep 22 14:06:56 edge01 err apd[20821]: 01490107:3: 5a8f9d35: AD module: query with '(sAMAccountName=demastout)' failed: Operations error, base: dc=subdomain,dc=domain,dc=COM, scope: 2, filter: (sAMAccountName=demastout) (1)
Sep 22 14:06:56 edge01 debug apd[20821]: 01490111:7: 5a8f9d35: AD module: ldap_search_ext_s(): Operations error, base: dc=subdomain,dc=domain,dc=COM, scope: 2, filter: (sAMAccountName=demastout) (1)
Sep 22 14:06:56 edge01 debug apd[20821]: 01490024:7: 5a8f9d35: AD module: LEAVE Function queryActiveDirectory
Sep 22 14:06:56 edge01 info apd[20821]: 01490019:6: 5a8f9d35: AD agent: Query: query with '(sAMAccountName=demastout)' failed
Sep 22 14:06:56 edge01 debug apd[20821]: 01490012:7: 5a8f9d35: AD agent: LEAVE Function executeInstance
Sep 22 14:06:56 edge01 info apd[20821]: 01490004:6: 5a8f9d35: Executed agent '/Common/Remote_Access_Default_act_active_directory_query_ag', return value 0
Sep 22 14:06:56 edge01 debug apd[20821]: 01490000:7: ./AccessPolicyProcessor/SessionState.h func: "clearTempSessionAgentState()" line: 82 Msg: Agent did not initiated the scheduled agent
Sep 22 14:06:56 edge01 debug apd[20821]: 01490000:7: AccessPolicyProcessor/AccessPolicy.cpp func: "execute()" line: 267 Msg: Let's evaluate rules, total number of rules for this action=4
Sep 22 14:06:56 edge01 debug apd[20821]: 01490000:7: AccessPolicyProcessor/AccessPolicy.cpp func: "execute()" line: 273 Msg: Rule to evaluate = "expr { [mcget {session.ad.last.attr.memberOf}] contains "CN=subdomain Network Engineers,OU=GHC Groups,OU=EMA Hosting Centre,DC=subdomain,DC=domain,DC=com" }"
Authentication works ... just matching the useraccount against a group fails. I'm new to this product so any help appreciated.
Regards,
Dave
- Mike_61719
Cirrus
Can you post your exact query string? - Mike_61719
Cirrus
If you can't post it, attempt to do this test via command line. - Mike_61719
Cirrus
What happens when you run the ad test via command line? - David_Stout
Nimbostratus
ERROR: query with '(sAMAccountName=demastout)' failed: Operations error, base: dc=XXXX,dc=DELOITTE,dc=COM, scope: 2, filter: (sAMAccountName=demastout) (1) - David_Stout
Nimbostratus
I think I am going to go back to the AD team and ask some questions. I don't think it's what i'm doing on the F5. I have a feeling they didn't set up the service account correctly. .... Unless you have any more ideas ? - Mike_61719
Cirrus
That's a good idea but if you have another known valid account you can test with the ad query tool and see if it will work.
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects