APM V11.1HF1 querying Active Directory

Have you done AD Query action in the VPE? It's needed to populate all the group membership info.

Hi Michael,

 

 

Thanks for the quick reply, based on your suggestion I added an AD query into the VPE chain, but am still getting the same end result, but logging appears a bit more promising.

 

 

Mar 26 00:19:05 apm debug apd[8648]: 01490000:7: ./AccessPolicyProcessor/Session.h func: "getSessionVar()" line: 240 Msg: variable "session.ad.last.attr.memberOf" was not found in the local cache for session "1162ccc9"

 

Mar 26 00:19:05 apm debug apd[8648]: 01490000:7: memcache.c func: "mc_convert_session_var_to_mc_key()" line: 854 Msg: Converted Var: session.ad.last.attr.memberOf to Session Var tmm.session.1162ccc9.session.ad.last.attr.memberOf

 

Mar 26 00:19:05 apm debug apd[8648]: 01490000:7: ./AccessPolicyProcessor/Session.h func: "getSessionVar()" line: 262 Msg: variable "session.ad.last.attr.memberOf" for session "1162ccc9" was not found in MEMCACHED

 

 

Is there a quick way of logging out to apm or the ltm log what its setting in that session var, maybe my query string is incorrect? Right now I have a security group called 'APM_Full', created under 'Users', so I'd assume this string to be correct

 

CN=APM_Full, CN=Users, DC=MYDOMAIN, DC=COM ?

 

 

Thanks again.

You will need to use an admin account in AD and turn off kerberos pre-authentication.

 

 

Also there is a "feature" in the APM you may need to be aware of.

 

 

When configuring an AD AAA Server do not enter a Domain Controller name that requires a DNS lookup.

 

 

For example if you do an nslookup for the domain controllers for my.domain.com

 

 

>nslookup my.domain.com

 

Server: ns1

 

Address: 192.168.0.1

 

 

Name: my.domain.com

 

Addresses: 10.1.1.1

 

10.1.1.2

 

10.1.1.3

 

10.1.1.4

 

 

In an effort to provide some fault tolerance I originally configured the AAA Server Domain Controller field to contain "my.domain.com" and then let DNS figure out which server to authenticate to. There is a small glitch in the APM Kerberos library which causes Kerberos to contact one server for it's token then try to authenticate the AD User against another server.

 

 

To work around this issue (took me a while) I decided to create a VIP for port 88 (kerberos) and point it at the domain controllers. I then entered the VIP IP address in the Domain Controller field. This for me is working well now and allows fault tolerance.

 

 

Another thing to note about the APM AD configuration is that the AD Query part is only limited to a single domain. I had confirmation from F5 that it's not really able to work through a whole AD forrest. So instead I used AD for authentication and LDAP for populating the session parameters including memberOf listing. AD Auth and AD Query don't have to go together and in a multi-domain environment and I would recommend the LDAP Query because in testing it worked faster.

 

 

There are a lot of "features" with the APM using AD but eventually I got a fully working multiple domain APM policy.

 

Thanks for the reply David, using https://devcentral.f5.com/wiki/APM.QueryAdWithLdap.ashx with some tweaking around, finally solved the issue. Just came down to using a good ldap string. I did also notice it appears when you set an AAA for LDAP you can configure a pool right there as well. Should anyone stumble across this with a similar issue, the resolution is.

 

 

Putting a LDAP query item in VPE upstream, searchDN of 'CN=Users,DC=mydomain,DC=com' and I used filter of sAMAccountName=%{session.logon.last.username}.

 

Now you can either create branches for your group members check here, or spin it off in resource allocation like I did, which I setup an expression of

 

CN=Administrators,CN=Builtin,DC=mydomain,DC=com

 

and assigned the RDC instances, and at the bottom an empty Expression with the webtop and other defaults set.

 

 

Thanks again to everyone for the replies!

I needed that link. Thanks!

Hey Colt,

 

 

Could you post a sample of your resource allocation?

Hey Mike,

 

 

 

 

 

Here's a copy of my current test policy and how I setup the resource allocations. In the VPE there 'full resource allocation' entities.

 

 

 

Thanks

 

 

One thing I should note, if your getting a 3000 error message / message about failed login (Check all sessions report, and you'll most likely see a error 3000 for the session). This means you have not assigned a webtop to the session flow, so make sure its set in your resource allocation.

Makes sense. Thanks for the information!

Just a FYI for anyone who is doing this. There appears to be a bug in the LDAP lookup query.

 

 

If you do something like this:

 

 

CN=test-test-1,OU=Groups,DC=mike,DC=mydomain,DC=com

 

 

It appears to add the check but it will actually end up like something listed below. It basically adds a space near the com

 

 

CN=test-test-1,OU=Groups,DC=mike,DC=mydomain,DC=c om