Forum Discussion
APM - Using AD as AAA server
AD credentials in AAA server configuration was ok for aproximatly 3 months, after that, password is changed for that username on AD, but I never changed this password in configuration on BIG IP, but VPN users are still able to connect. Is there some place for caching this information, or?
- kunjanNimbostratus
Just to add:
In the Admin Name field, type a is case-sensitive name for an administrator who has Active Directory administrative permissions.
. If Active Directory is configured for anonymous queries, you do not need to provide an Admin Name. Otherwise, APM needs an account with sufficient privilege to bind to an Active Directory server, fetch user group information, and fetch Active Directory password policies to support password-related functionality. (APM must fetch password policies, for example, if you select the Prompt user to change password before expiration option in an AD Query action.) If you do not provide Admin account information in this configuration, APM uses the user account to fetch information. This works if the user account has sufficient privilege.APM uses the information in the Admin Name and Admin Password fields for AD Query
- Seth_CooperEmployee
The AD admin credentials in the AAA object are only used for getting the password security information if you allow password change and for building the group cache. If you aren't using either of those then the AD Administrator is not needed.
- kunjanNimbostratus
If AD admin user/password is not configured APM will use the
"APM uses the user account to fetch information. This works if the user account has sufficient privilege."(OLH)
Not sure if this is happening here. If possible do restart of apd daemon to verify. "bigstart restart apd "
- Alen_Ismic_1869Nimbostratus
Yes, I have AD Query: expr { [mcget {session.logon.last.username}] equals "someUser"}
Policy is like this
Logon page -> AD AUTH -> AD Query -> Seperate by users -> Resources by users
- kunjanNimbostratus
Are using AD query in the policy? For AD authentication it is not used.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com