Forum Discussion

ktm_2000's avatar
ktm_2000
Icon for Altostratus rankAltostratus
Sep 13, 2023

APM logon to multiple directories in same flow

Hi All,

I am new to APM and have been tasked to migrate our company away from Novell EDIR.     We have both EDIR and AD and our current APM auth scheme calls EDIR in per session and checks group membership in per request.   

Most of my users could get by with AD only if we replicated groups and memberships then change the per session to auth against AD and per request policies to point to AD groups.   I have a fair understanding of how to accomplish this effort and it will get us 80% of the way.

my issue....

  Our identity tool syncs uses the same user account name for a user and keeps PW for the 2 in sync.      Most users use that tool but in some cases they do not and PWs are not in sync.  We have a handful of apps which require users to be authenticated against EDIR and if I flipped the per session auth against AD and they don't have their PWs in sync, they would get an app error when they try to access  the application.

I am wondering if I could capture their PW as a part of the AD auth and then try to auth EDIR with those same credentials (without user interaction) and silently succeed or pop a 2nd logon screen if they failed and weren't in Sync?

Any suggestions on how to try that theory out?

  • When the user logs in, will they log into a APM login screen or somewhere else?
    If a APM login screen, then the f5/APM will have the password.
    Then from there the APM policy i'm pretty sure can trigger a auth somewhere else for you, but not knowing Novell EDIR do you know what protocol it uses?

  • Yes they currently logon via an APM logon screen and APM is integrated with EDIR now and doing the auth.

    I have seen snipits on how to configure AD auth and also on how to capture ID & PW and put those values into variables but I am not sure about doing a 2nd silent auth against edir using those variables.

     

  • Can you let me know how the f5 is currently talking to EDIR (Ideally the protocol)
    Or explain have you've got it working and we might be able to check for you.