APM- AD Query Succeeds then Fails.

Question

I'm stumped with this one, any help appreciated:
Its strange becuase auth succeeds, query succeeds, then it seems cache fails and it overall decides to fail.
Following rule 'Successful' from item 'AD Auth' to item 'AD Query'
AD agent: ENTER Function executeInstance
AD module: ENTER Function queryActiveDirectory
AD module: verifyKrb5Cache(): Ticket cache: FILE:/var/run/krb5cc/Common/Portal_AD/krb5cc_0 Default principal: svc_f5ntlm@DOMAIN.COM
AD module: verifyKrb5Cache(): server realm:DOMAIN.COM princ realm:DOMAIN.COM server data[0]:krbtgt server data[1]:DOMAIN.COM curr time: 1411017594 end time: 1411051759 Default principal: svc_f5ntlm@DOMAIN.COM
AD module: ldap_initialize() successful. URI:'ldap://127.7.0.1:389'
AD module: ldap_initialize() successful. URI:'ldap://127.7.0.1:389'
AD module: ldap_sasl_interactive_bind_s() successful.
AD module: ENTER Function queryActiveDirectoryAttrs
AD module: ldap_search_ext_s() successful. base: dc=AUCKLANDTRANSPORT,dc=GOVT,dc=NZ, scope: 2, filter: '(sAMAccountName=andrew)'
AD module: DN: 
AD module: LEAVE Function queryActiveDirectoryAttrs
AD Group Cache: updateCache(): initializing cache for server 127.7.0.1
AD Group Cache: cache init failed for server '127.7.0.1'
AD module: query with '(sAMAccountName=andrew)' failed: (0)
AD module: (): (0)
AD module: LEAVE Function queryActiveDirectory
AD agent: Query: query with '(sAMAccountName=andrew)' failed
AD agent: LEAVE Function executeInstance
Executed agent '/Common/portal_1_act_active_directory_query_ag', return value 0
Following rule 'fallback' from item 'AD Query' to ending 'Deny'
Access policy result: Logon_Deny
Executed agent '/Common/portal_1_end_deny_ag', return value 0
Session variable 'session.ad./Common/portal_1_act_active_directory_auth_ag.actualdomain' set to 'DOMAIN.COM'
Session variable 'session.ad./Common/portal_1_act_active_directory_auth_ag.authresult' set to '1'
Session variable 'session.ad./Common/portal_1_act_active_directory_auth_ag.errmsg' set to ' '
Session variable 'session.ad./Common/portal_1_act_active_directory_query_ag.attr.dn' set to 'CN=
Session variable 'session.ad./Common/portal_1_act_active_directory_query_ag.attr.memberOf' set to '| CN= |'
Session variable 'session.ad./Common/portal_1_act_active_directory_query_ag.errmsg' set to ''
Session variable 'session.ad./Common/portal_1_act_active_directory_query_ag.queryresult' set to '0'
Session variable 'session.ad.last.actualdomain' set to 'DOMAIN.COM'
Session variable 'session.ad.last.attr.dn' set to 'CN=X,OU=X,OU=X,OU=X,OU=X,DC=X,DC=X,DC=X'
Session variable 'session.ad.last.attr.memberOf' set to '| CN= 
Session variable 'session.ad.last.authresult' set to '1'
Session variable 'session.ad.last.errmsg' set to ''
Session variable 'session.ad.last.queryresult' set to '0'
Session variable 'session.logon./Common/portal_1_act_logon_page_ag.logonname' set to 'andrew'
Session variable 'session.logon./Common/portal_1_act_logon_page_ag.result' set to '1'
Session variable 'session.logon./Common/portal_1_act_logon_page_ag.username' set to 'andrew'
Session variable 'session.logon.last.logonname' set to 'andrew'
Session variable 'session.logon.last.result' set to '1'
Session variable 'session.logon.last.username' set to 'andrew'
Session variable 'session.logon.page.errorcode' set to '1'
Session variable 'session.logout.page.customization.group' set to '/Common/portal_1_end_deny_ag'
Session variable 'session.policy.result' set to 'deny'
\N: Session deleted due to user logout request.
Session statistics - bytes in: 2183, bytes out: 842

`
AAA Server is used successfully with other applications.

binarycanary_19 · Answer

You're better off raising a support case, as someone probably needs to look at the network capture of communication between the APM and the LDAP server.&nbsp;
The query cannot succeed and then fail. Most likely what is happening is that the LDap  bind succeeds, but the query itself fails.&nbsp;

kevin_stewart · Answer

It looks more like the query itself is failing. Try the same query via the command line:
ldapsearch -H ldap://x.x.x.x:389 -x -b cn=users,dc=mydomain,dc=com -D administrator@mydomain.com -w  'sAMAccountName=andrew'

The options mean:
-x means do a simple bind
-b is the base DN to search
-D is the user to bind with
-w is the password (-W for interactive prompt)

Forum Discussion

APM- AD Query Succeeds then Fails.

2 Replies

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

F5 Networks F5CAB1 Exam - Need Help Regarding Prep

Username is not filled in EdgeClient in the Modern customization

The GSLB pool is providing an incorrect IP to end users

iRule causing requests to be duplicated (sometimes)

Cisco TACACS+ Config on ISE LTM Pair

Related Content

LDAP Auth, LDAP Query with UPN fails

iRuleLX Solution for OAUTH JWT authenticated Salesforce Query

External Data Group Import Failing.

iRule Processing query

Bolster AI Queries - Access to NetApp-Instantiated Corporate Databases via MCP and Distributed Cloud

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS