For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

David_Stout's avatar
David_Stout
Icon for Nimbostratus rankNimbostratus
Sep 22, 2011

AD Query not working - Edge v11.0

Hi guys ... in a major pickle here....

 

 

I have followed this guide but still can't get this working.

 

 

http://support.f5.com/kb/en-us/solutions/public/12000/100/sol12193.html

 

 

This is what's being logged in /var/log/apm

 

 

 

Sep 22 14:06:56 edge01 info apd[20821]: 01490006:6: 5a8f9d35: Following rule 'Successful' from item 'AD Auth' to item 'AD Query'

 

Sep 22 14:06:56 edge01 debug apd[20821]: 01490011:7: 5a8f9d35: AD agent: ENTER Function executeInstance

 

Sep 22 14:06:56 edge01 debug apd[20821]: 01490000:7: ./AccessPolicyProcessor/Session.h func: "getSessionVar()" line: 240 Msg: variable "session.logon.last.domain" was not found in the local cache for session "5a8f9d35"

 

Sep 22 14:06:56 edge01 debug apd[20821]: 01490000:7: ./AccessPolicyProcessor/Session.h func: "getSessionVar()" line: 247 Msg: try to get it from MEMCACHED

 

Sep 22 14:06:56 edge01 debug apd[20821]: 01490000:7: memcache.c func: "mc_convert_session_var_to_mc_key()" line: 831 Msg: Converted Var: session.logon.last.domain to Session Var tmm.session.5a8f9d35.session.logon.last.domain

 

Sep 22 14:06:56 edge01 debug apd[20821]: 01490000:7: ./AccessPolicyProcessor/Session.h func: "getSessionVar()" line: 262 Msg: variable "session.logon.last.domain" for session "5a8f9d35" was not found in MEMCACHED

 

Sep 22 14:06:56 edge01 debug apd[20821]: 01490023:7: 5a8f9d35: AD module: ENTER Function queryActiveDirectory

 

Sep 22 14:06:56 edge01 debug apd[20821]: 01490111:7: 5a8f9d35: AD module: verifyKrb5Cache(): Ticket cache: FILE:/var/run/krb5cc/Common/subdomain.domain.com_vip/krb5cc_0 Default principal: sc_edgegateway_ema@subdomain.domain.COM

 

Sep 22 14:06:56 edge01 debug apd[20821]: 01490111:7: 5a8f9d35: AD module: verifyKrb5Cache(): server realm:subdomain.domain.COM princ realm:subdomain.domain.COM server data[0]:krbtgt server data[1]:subdomain.domain.COM curr time: 1316700416 end time: 1316728077 Default principal: sc_edgegateway_ema@subdomain.domain.COM

 

Sep 22 14:06:56 edge01 debug apd[20821]: 01490027:7: 5a8f9d35: AD module: ldap_initialize() successful. URI:'ldap://10.236.64.50:389'

 

Sep 22 14:06:56 edge01 debug apd[20821]: 01490029:7: 5a8f9d35: AD module: ldap_sasl_interactive_bind_s() successful.

 

Sep 22 14:06:56 edge01 debug apd[20821]: 01490023:7: 5a8f9d35: AD module: ENTER Function queryActiveDirectoryUser

 

Sep 22 14:06:56 edge01 debug apd[20821]: 01490024:7: 5a8f9d35: AD module: LEAVE Function queryActiveDirectoryUser

 

Sep 22 14:06:56 edge01 err apd[20821]: 01490107:3: 5a8f9d35: AD module: query with '(sAMAccountName=demastout)' failed: Operations error, base: dc=subdomain,dc=domain,dc=COM, scope: 2, filter: (sAMAccountName=demastout) (1)

 

Sep 22 14:06:56 edge01 debug apd[20821]: 01490111:7: 5a8f9d35: AD module: ldap_search_ext_s(): Operations error, base: dc=subdomain,dc=domain,dc=COM, scope: 2, filter: (sAMAccountName=demastout) (1)

 

Sep 22 14:06:56 edge01 debug apd[20821]: 01490024:7: 5a8f9d35: AD module: LEAVE Function queryActiveDirectory

 

Sep 22 14:06:56 edge01 info apd[20821]: 01490019:6: 5a8f9d35: AD agent: Query: query with '(sAMAccountName=demastout)' failed

 

Sep 22 14:06:56 edge01 debug apd[20821]: 01490012:7: 5a8f9d35: AD agent: LEAVE Function executeInstance

 

Sep 22 14:06:56 edge01 info apd[20821]: 01490004:6: 5a8f9d35: Executed agent '/Common/Remote_Access_Default_act_active_directory_query_ag', return value 0

 

Sep 22 14:06:56 edge01 debug apd[20821]: 01490000:7: ./AccessPolicyProcessor/SessionState.h func: "clearTempSessionAgentState()" line: 82 Msg: Agent did not initiated the scheduled agent

 

Sep 22 14:06:56 edge01 debug apd[20821]: 01490000:7: AccessPolicyProcessor/AccessPolicy.cpp func: "execute()" line: 267 Msg: Let's evaluate rules, total number of rules for this action=4

 

Sep 22 14:06:56 edge01 debug apd[20821]: 01490000:7: AccessPolicyProcessor/AccessPolicy.cpp func: "execute()" line: 273 Msg: Rule to evaluate = "expr { [mcget {session.ad.last.attr.memberOf}] contains "CN=subdomain Network Engineers,OU=GHC Groups,OU=EMA Hosting Centre,DC=subdomain,DC=domain,DC=com" }"

 

 

 

 

Authentication works ... just matching the useraccount against a group fails. I'm new to this product so any help appreciated.

 

 

Regards,

 

Dave

 

BIG-IP Access Policy Manager (APM)
remote access
security

6 Replies

  • Mike_61719's avatar
    Mike_61719
    Icon for Cirrus rankCirrus
    Sep 22, 2011
    If you can't post it, attempt to do this test via command line.

     

     

    https://support.f5.com/kb/en-us/solutions/public/11000/300/sol11308.html?sr=16685622
  • David_Stout's avatar
    David_Stout
    Icon for Nimbostratus rankNimbostratus
    Sep 22, 2011
    ERROR: query with '(sAMAccountName=demastout)' failed: Operations error, base: dc=XXXX,dc=DELOITTE,dc=COM, scope: 2, filter: (sAMAccountName=demastout) (1)

     

    Test done: total tests: 1, success=0, failure=1
  • David_Stout's avatar
    David_Stout
    Icon for Nimbostratus rankNimbostratus
    Sep 22, 2011
    I think I am going to go back to the AD team and ask some questions. I don't think it's what i'm doing on the F5. I have a feeling they didn't set up the service account correctly. .... Unless you have any more ideas ?
  • Mike_61719's avatar
    Mike_61719
    Icon for Cirrus rankCirrus
    Sep 22, 2011
    That's a good idea but if you have another known valid account you can test with the ad query tool and see if it will work.