Forum Discussion
Colt_Majkrzak1
Nimbostratus
NimbostratusAPM V11.1HF1 querying Active Directory
Hi Everyone,
I was wondering if anyone could shed some light on an issue I'm having with a LAB setup. I have a pretty average APM policy setup (Built from the wizard), but I'm attempting to check if the users are a member of a AD group, and assigning resources accordingly. So for example, members of Administrators would see the server(s) RDC connections, while everyone else would just be able to access apps/network connect.
To do this, I'm attempting to use 'Active Directory Auth has Passed' AND User is a member of
CN=Administrators, CN=Builtin, DC=mydomain, DC=local, which is set to the top most item in the branch rules. Below that is just a simple 'Active Directory Auth has Passed' condition. On execution of the policy, I will never hit the top most condition, no matter how many ways I've tried it. On further review, I noticed the following in the logging of APM.
Mar 25 22:31:49 apm debug apd[8648]: 01490000:7: AccessPolicyProcessor/AccessPolicy.cpp func: "execute()" line: 294 Msg: Rule to evaluate = "expr { [mcget {session.ad.last.authresult}] == 1 && [mcget {session.ad.last.attr.memberOf}] contains "CN=Administrators, CN=Builtin, DC=mydomain, DC=local" }"
Mar 25 22:31:49 apm debug apd[8648]: 01490000:7: ./AccessPolicyProcessor/Session.h func: "getSessionVar()" line: 240 Msg: variable "session.ad.last.attr.memberOf" was not found in the local cache for session "46ca3a01"
Mar 25 22:31:49 apm debug apd[8648]: 01490000:7: memcache.c func: "mc_convert_session_var_to_mc_key()" line: 854 Msg: Converted Var: session.ad.last.attr.memberOf to Session Var tmm.session.46ca3a01.session.ad.last.attr.memberOf
Mar 25 22:31:49 apm debug apd[8648]: 01490000:7: ./AccessPolicyProcessor/Session.h func: "getSessionVar()" line: 262 Msg: variable "session.ad.last.attr.memberOf" for session "46ca3a01" was not found in MEMCACHED
Which tells me the var in memory is never actually populated. I have ran adtest and verified the F5 VM is able to communicate with AD, so I'm a bit at a loss on how I might get this working. If anyone has any tips, it would be a great help.
Thank You!
Michael_Koyfma1Cirrus
Have you done AD Query action in the VPE? It's needed to populate all the group membership info.
Colt_Majkrzak1Hi Michael,
Thanks for the quick reply, based on your suggestion I added an AD query into the VPE chain, but am still getting the same end result, but logging appears a bit more promising.
Mar 26 00:19:05 apm debug apd[8648]: 01490000:7: ./AccessPolicyProcessor/Session.h func: "getSessionVar()" line: 240 Msg: variable "session.ad.last.attr.memberOf" was not found in the local cache for session "1162ccc9"
Mar 26 00:19:05 apm debug apd[8648]: 01490000:7: memcache.c func: "mc_convert_session_var_to_mc_key()" line: 854 Msg: Converted Var: session.ad.last.attr.memberOf to Session Var tmm.session.1162ccc9.session.ad.last.attr.memberOf
Mar 26 00:19:05 apm debug apd[8648]: 01490000:7: ./AccessPolicyProcessor/Session.h func: "getSessionVar()" line: 262 Msg: variable "session.ad.last.attr.memberOf" for session "1162ccc9" was not found in MEMCACHED
Is there a quick way of logging out to apm or the ltm log what its setting in that session var, maybe my query string is incorrect? Right now I have a security group called 'APM_Full', created under 'Users', so I'd assume this string to be correct
CN=APM_Full, CN=Users, DC=MYDOMAIN, DC=COM ?
Thanks again.
David_StoutYou will need to use an admin account in AD and turn off kerberos pre-authentication.
Also there is a "feature" in the APM you may need to be aware of.
When configuring an AD AAA Server do not enter a Domain Controller name that requires a DNS lookup.
For example if you do an nslookup for the domain controllers for my.domain.com
>nslookup my.domain.com
Server: ns1
Address: 192.168.0.1
Name: my.domain.com
Addresses: 10.1.1.1
10.1.1.2
10.1.1.3
10.1.1.4
In an effort to provide some fault tolerance I originally configured the AAA Server Domain Controller field to contain "my.domain.com" and then let DNS figure out which server to authenticate to. There is a small glitch in the APM Kerberos library which causes Kerberos to contact one server for it's token then try to authenticate the AD User against another server.
To work around this issue (took me a while) I decided to create a VIP for port 88 (kerberos) and point it at the domain controllers. I then entered the VIP IP address in the Domain Controller field. This for me is working well now and allows fault tolerance.
Another thing to note about the APM AD configuration is that the AD Query part is only limited to a single domain. I had confirmation from F5 that it's not really able to work through a whole AD forrest. So instead I used AD for authentication and LDAP for populating the session parameters including memberOf listing. AD Auth and AD Query don't have to go together and in a multi-domain environment and I would recommend the LDAP Query because in testing it worked faster.
There are a lot of "features" with the APM using AD but eventually I got a fully working multiple domain APM policy.- Colt_Majkrzak1Thanks for the reply David, using https://devcentral.f5.com/wiki/APM.QueryAdWithLdap.ashx with some tweaking around, finally solved the issue. Just came down to using a good ldap string. I did also notice it appears when you set an AAA for LDAP you can configure a pool right there as well. Should anyone stumble across this with a similar issue, the resolution is.
Putting a LDAP query item in VPE upstream, searchDN of 'CN=Users,DC=mydomain,DC=com' and I used filter of sAMAccountName=%{session.logon.last.username}.
Now you can either create branches for your group members check here, or spin it off in resource allocation like I did, which I setup an expression of
CN=Administrators,CN=Builtin,DC=mydomain,DC=com
and assigned the RDC instances, and at the bottom an empty Expression with the webtop and other defaults set.
Thanks again to everyone for the replies! 
Mike_61719I needed that link. Thanks!- Mike_61719Hey Colt,
Could you post a sample of your resource allocation? - Colt_Majkrzak1
Hey Mike,
Here's a copy of my current test policy and how I setup the resource allocations. In the VPE there 'full resource allocation' entities.
Thanks
- Colt_Majkrzak1One thing I should note, if your getting a 3000 error message / message about failed login (Check all sessions report, and you'll most likely see a error 3000 for the session). This means you have not assigned a webtop to the session flow, so make sure its set in your resource allocation.
- Mike_61719Makes sense. Thanks for the information!
- Mike_61719Just a FYI for anyone who is doing this. There appears to be a bug in the LDAP lookup query.
If you do something like this:
CN=test-test-1,OU=Groups,DC=mike,DC=mydomain,DC=com
It appears to add the check but it will actually end up like something listed below. It basically adds a space near the com
CN=test-test-1,OU=Groups,DC=mike,DC=mydomain,DC=c om