For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Grayson_149410's avatar
Grayson_149410
Icon for Nimbostratus rankNimbostratus
Nov 08, 2016

APM LDAP Auth Using Email Address

We are in the process of moving away from one HR system to another. By doing this, all of our warehouses users need to be able to log into some Sharepoint sites occasionally. We already have this setup though APM and works great, but they want to allow an additional login method. Here are the values I am working with:

 

Employee Name: Vince Carter

 

Email Address: vince.carter1234@whatever.com

 

Username: vcarter@company.com

 

The email address domain (there will never be an actual AD Domain for @whatever.com) and the actual user account domain are completely different. They want the user to only have to remember the email address and not both accounts.

 

So in my Access Policy, they want the user to enter vince.carter1234@whatever.com and their password for the actual Active Directory Domain Name which in this case is @company.com.

 

The vcarter@company.com AD account will have the mail attribute filled with vince.carter1234@whatever.com.

 

Does anyone know a way for the user to be able to log in their email address, do an LDAP query for their email address, authenticate them and then do a SSO (since we're dealing with Sharepoint) using their samaccountname (vcarter)?

 

This sounds crazy backwards, but it is what I am tasked to work on.

 

application delivery
BIG-IP Access Policy Manager (APM)

1 Reply

  • Michael_Jenkins's avatar
    Michael_Jenkins
    Icon for Cirrostratus rankCirrostratus
    Nov 08, 2016

    I just finished doing something similar. Essentially I modified the policy to allow 

    domain\username
    , 
    username
    (using default domain), and 
    email
    . Since you're asking about just email, I'll explain what I did there. (Note: we use AD instead of LDAP, but this is how I think it ought to work for you)

    After the 

    Login Page
    action, I would use the 
    LDAP Auth
    action to search for the user. I would set the 
    SearchFilter
    to 
    (mail=%{session.logon.last.logonname})
    and the root LDAP DN in the 
    SearchDN
    .

    From there, use an 

    LDAP Query
    action with the same 
    SearchFilter
    and 
    SearchDN
    and add whatever attributes you'll need (i.e. 
    samaccountname
    ).

    From there, you can add an 

    SSO Credential Mapping
    object using 
    session.ldap.last.attr.sAMAccountName
    for the 
    SSO Token Username
    property (may show up in the drop down there).

    Hopefully that will help.