Forum Discussion

Daniel_Elkins's avatar
Daniel_Elkins
Icon for Nimbostratus rankNimbostratus
Oct 06, 2020

Authentication: Remote - Active directory + Microsoft RBAC

I have configured user authentication using Remote - Active directory, but it does not seem to be properly searching groups and applying the appropriate roles.

 

 

 

 I have confirmed at the CLI that we have LDAPS working to bind and find accounts

 

ldapsearch -xLLL -H 'ldap://<my AD server>' -b "<my search base>" -s sub -D "<my bind account>" -w '<my bind password>"(samAccountName=adm_delkins)"

 

the output finds the groups I am a member of as follows:

<truncated for brevity>

DC=local

objectClass: top

objectClass: person

objectClass: organizationalPerson

objectClass: user

cn: Dan Elkins

sn: Elkins

memberOf: CN=RBaC-<mydomain>-Network,OU=<my local domain OU>,DC=<my domain>,DC=<my TLD>

memberOf: CN=Domain Admins,CN=Users,DC=<My domain>,DC=<my tld>

 

My user account is a member of my Microsoft Active Directory RBAC group

 

 

 

 

This Microsoft Active Directory RBAC group is a member of the group created for F5 Admin

 

 

 

 

I have created these same groups on my LTM in the remote role groups with the same name as my AD group that RBAC is a meber of:

 

 

 

 

The only way I can validate that I can authenticate to LDAP at all is when I enable the "External Users" in the authentication config. This successfully authenticates me with LDAP, but since I don't match any groups, it just logs me in as Guest instead of Administrator. At least I can see LDAP working ...

 

 

 

 

While working with another vendor I had to configure that system to use a recursive LDAP search in order to get LDAP to work with the Microsoft Active Directory RBAC groups.

 

If this is possibly the same issue, is there a method to enable a recursive search on the F5.

 

If this is not likely the issue, what have I configured incorrectly that is preventing my users from authenticating with proper roles?

Any pointers would be appreciated as I need to get a working solution.

 

  • Daniel_Elkins's avatar
    Daniel_Elkins
    Icon for Nimbostratus rankNimbostratus
    Oct 09, 2020

    This issue was resolved via F5 supoport who advised me to modify the configuration in "remote role group" to add "memberOf=" in front of group name I entered in the attribute string field for the defined group. This allowed me to log in with a user in active directory was explicitly assigned to the group in question.

     

    Badd example:

     

    CN=F5Admins,OU=<myDomain> Users & Groups,DC=<myDomain>,DC=local

     

    Working example:

     

    memberOf=CN=F5Admins,OU=<myDomain> Users & Groups,DC=<myDomain>,DC=local

     

    I have however discovered that if you have this group in another nested group within Active Directory authentication still fails. From what I have researched the limited scope available in the LDAP configuration is lacking the "recursive" query option for LDAP.

     

    https://clouddocs.f5.com/cli/tmsh-reference/v15/modules/auth/auth_ldap.html?highlight=ldap

    This document shows that even at the CLI configuration within TMSH the only options for query scope are:

     

    scope [base | one | sub]

     

    The good news is, this particular issue of group configuration has been resolved, but the new issue of nested group memberships is stillbroken to my knowledge.