For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Luca_55898's avatar
Luca_55898
Icon for Nimbostratus rankNimbostratus
Aug 15, 2011

APM - LDAP Authenticaion multiple domains

Hi,   We have an LTM using the APM module for our Outlook Web Access service.     We have users from numerous AD domains who need to authenticate. In the visual policy editior i created an L...
config
design
Wim_Vermoens_98's avatar
Wim_Vermoens_98
Icon for Nimbostratus rankNimbostratus
Jan 22, 2014

Hi all

 

I resolved this issue by doing first an LDAP query to first specific domain. in a form like this. this also resolves the problem that you cannot have both UPN and pre-windows 2000 logons. In our case you now can logon with the both logon forms, AND for multiple domains

 

Logon Page -> Fallback -> Variable assign (Custom Variable: session.custom.last.username = Session Variable session.logon.last.username) -> Fallback -> (macro Domain 1) -> LDAP Query to first domain (|(UserPrincipalName=%{session.custom.last.username}@%{session.logon.last.domain})(sAMAccountName=%{session.custom.last.username}))

 

-> Variable Assign session.logon.last.username = LDAP attribute name sAMAccountName Expression on branch 1: expr { [mcget {session.logon.last.username}] equals "" }

 

So if this variable assign sets the value of session.logon.last.username to "" we will not continue to AD Auth, but we will flow into the next macro for the second domain. This is how we know that the query failed to the first domain.

 

Branch 1 -> Failure -> Macro Domain 2) -> repeat same steps for domain 2 Fallback -> AD Auth -> Succesfull -> Allow ending -> Fallback -> Deny ending

 

So the only extra thing you need to setup is an extra (per domain) AAA pool from the LDAP type.