Forum Discussion

vmunier_96939's avatar
vmunier_96939
Icon for Nimbostratus rankNimbostratus
Oct 28, 2013

APM problem with ldap authentication

Hi, I have a problem wih APM ldap authentication: I have defined this simple Access Policy:

The 2 IRule Events are linked to the same irules (just for logging):

when ACCESS_POLICY_AGENT_EVENT {
if { [ACCESS::policy agent_id] eq "log" } {
set a [ACCESS::session data get "session.server.landinguri"]
log local0. "Session server Landing URI: $a"
set b [ACCESS::session data get "session.ldap.last.authresult"]
log local0. "session.ldap.last.authresult: $b"
set c [ACCESS::session data get "session.ldap.last.errmsg"]
log local0. "Session.ldap.last.errmsg: $c"
}}

When the ldap authentication is successful, there are no problem and the following Irule event is well executed. My problem is when LdapAuthetication failed (invalid credentials), the following Irule event is not executed. In the APM log, i have this error:

Oct 28 11:51:05 vilbf5 err apd[14523]: 01490000:3: ./AccessPolicyProcessor/Session.h func: "scheduleExecLastAgent()" line: 799 Msg: USession::scheduleExecLastAgent() - can not found the agent

Oct 28 11:51:05 vilbf5 warning apd[14523]: 01490140:4: a858bc9f: LDAP module: Logon agent instance is not available to be scheduled

Oct 28 11:51:05 vilbf5 err apd[14523]: 01490000:3: AccessPolicyProcessor/AccessPolicy.cpp func: "execute()" line: 228 Msg: agent execution error, node=4, agent=0

I don't know what is wrong with my config. if i replace the Ldap Auth action with a radius Auth Action (for testing), i have no problem and the following action is well exectuted after a bad authentication. I'm running with BIG-IP versions 11.4.1

Anyone have an idea? Thank you Vincent

application delivery
design
devops
iRules
management

2 Replies

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Oct 28, 2013

    Can you elaborate on how you've configured your access policy? As a rule, I believe, the AD/LDAP auth agents don't process agents along the fallback branch if auth fails (bad username or password).

     

    You should be able to get around this by setting "Max Logon Attempts Allowed" in the LDAP auth agent to a value of 1. The fallback agents will get processed, but then you'll need to handle invalid credentials on your own.

     

  • vmunier_96939's avatar
    vmunier_96939
    Icon for Nimbostratus rankNimbostratus
    Oct 28, 2013

    Hi Kevin Thanks a lot, you are right: With setting the "Max Logon Attemps Allowed" to a value of 1, the fallback agents will get processed. (In my settings i used the default value of 3 attemps). Is this solution documented by F5? I don't really understand why the fallback agents will be processed with a value of 1 ? and why this behavior is different between a ldap and a radius authentication? Have a good day, Vincent