Forum Discussion
Colt_Majkrzak1
Nimbostratus
NimbostratusAPM V11.1HF1 querying Active Directory
Hi Everyone,
I was wondering if anyone could shed some light on an issue I'm having with a LAB setup. I have a pretty average APM policy setup (Built from the wizard), but I'm attempting to check if the users are a member of a AD group, and assigning resources accordingly. So for example, members of Administrators would see the server(s) RDC connections, while everyone else would just be able to access apps/network connect.
To do this, I'm attempting to use 'Active Directory Auth has Passed' AND User is a member of
CN=Administrators, CN=Builtin, DC=mydomain, DC=local, which is set to the top most item in the branch rules. Below that is just a simple 'Active Directory Auth has Passed' condition. On execution of the policy, I will never hit the top most condition, no matter how many ways I've tried it. On further review, I noticed the following in the logging of APM.
Mar 25 22:31:49 apm debug apd[8648]: 01490000:7: AccessPolicyProcessor/AccessPolicy.cpp func: "execute()" line: 294 Msg: Rule to evaluate = "expr { [mcget {session.ad.last.authresult}] == 1 && [mcget {session.ad.last.attr.memberOf}] contains "CN=Administrators, CN=Builtin, DC=mydomain, DC=local" }"
Mar 25 22:31:49 apm debug apd[8648]: 01490000:7: ./AccessPolicyProcessor/Session.h func: "getSessionVar()" line: 240 Msg: variable "session.ad.last.attr.memberOf" was not found in the local cache for session "46ca3a01"
Mar 25 22:31:49 apm debug apd[8648]: 01490000:7: memcache.c func: "mc_convert_session_var_to_mc_key()" line: 854 Msg: Converted Var: session.ad.last.attr.memberOf to Session Var tmm.session.46ca3a01.session.ad.last.attr.memberOf
Mar 25 22:31:49 apm debug apd[8648]: 01490000:7: ./AccessPolicyProcessor/Session.h func: "getSessionVar()" line: 262 Msg: variable "session.ad.last.attr.memberOf" for session "46ca3a01" was not found in MEMCACHED
Which tells me the var in memory is never actually populated. I have ran adtest and verified the F5 VM is able to communicate with AD, so I'm a bit at a loss on how I might get this working. If anyone has any tips, it would be a great help.
Thank You!
28 Replies
Colt_Majkrzak1Mike,
Which TMOS version are you running on, I'm on 11.1 HF2 and havent noticed this? Are you getting no/invalid responses on the query or might it be something just visual in the apm logging?
Mike_61719Cirrus
11.1 no hotfix. I get a no value in return for the lookup.- Colt_Majkrzak1Mike,
Are you able to update to HF2? I saw F5 fix a lot of 'features' in the HF2 update. - Mike_61719I'm on the VE and unable to update for some reason. I'll try and figure out why it won't update.
David_StoutI didn't have that issue with the LDAP lookup. However I did things a little differently so it could scale a little better. The LDAP query is just a simple query of (sAMAccountName=%{session.logon.last.username}) against the top level domain.
When the query is run all the session parameters get populated by the query including the memberOf attribute. If you configure the groups membership checks within the LDAP Query check then the size of the box will increase everytime you add a new group to check against. So with 100 AD Group checks you have a box that has 100 lines out of it. This doesn't look good. Instead I have moved the Group Membership check to the a SINGLE resource assign box. I have attached a couple of screenshots on how I would recommend doing it.- Colt_Majkrzak1David,
Good point, I will probably make the change when move things out of the lab into a larger scale.
Mike,
The VE by default will not put an image on 1.2, so you'll have to upload the 11.1 ISO into the VE, along with the HF2 hotfix. You can then click the hotfix, install it to 1.2 (it will automatically install the base 11.1 from the present ISO), and roll your config from 1.1 to 1.2. Once complete just switchboot (command line) or activate the new boot volume (web gui), and you should be all set. The process tripped me up at first when dealing with the VE, but it really does act/function like a real appliance. Even in Viprion with vCMP guests, the process is the exact same (you have to do the update per guest, and populate 1.2). 
Scott_Thistle_5I saw the same issue. However, I simply copy/pasted the line and ignored what it looked like on the screen. I think that space is cosmetic.- Mike_61719Strange, it comes up with a null value.
I'm going to update to the hotfix 2 patch today and see what happens. 
farache_28983I am having the same issue as DenisG...
Doing Ldap Auth is not working over multiple domains, since i think cannot lookup uses in child domains ( unless i am mistaken). Doing AD auth yields the same error..
Eventually i will need to do Ldap query, but for now, I just need to get the users across 6 different sub domains authenticated.
Michael_Koyfma1Right - LDAP auth is not going to work well/easily for multiple domains, as the user needs to be authenticated against each individual AD controller that's responsible for the domain. Do you have Cross Domain Support set to Enabled? Are your users entering their credentials in the full UPN notation: user@child.domain.com? Is APM able to reach all domain controllers responsible for each of the child domains?
