Forum Discussion

Daniel_Elkins's avatar
Icon for Nimbostratus rankNimbostratus
Oct 06, 2020

Authentication: Remote - Active directory + Microsoft RBAC

I have configured user authentication using Remote - Active directory, but it does not seem to be properly searching groups and applying the appropriate roles.




 I have confirmed at the CLI that we have LDAPS working to bind and find accounts


ldapsearch -xLLL -H 'ldap://<my AD server>' -b "<my search base>" -s sub -D "<my bind account>" -w '<my bind password>"(samAccountName=adm_delkins)"


the output finds the groups I am a member of as follows:

<truncated for brevity>


objectClass: top

objectClass: person

objectClass: organizationalPerson

objectClass: user

cn: Dan Elkins

sn: Elkins

memberOf: CN=RBaC-<mydomain>-Network,OU=<my local domain OU>,DC=<my domain>,DC=<my TLD>

memberOf: CN=Domain Admins,CN=Users,DC=<My domain>,DC=<my tld>


My user account is a member of my Microsoft Active Directory RBAC group





This Microsoft Active Directory RBAC group is a member of the group created for F5 Admin





I have created these same groups on my LTM in the remote role groups with the same name as my AD group that RBAC is a meber of:





The only way I can validate that I can authenticate to LDAP at all is when I enable the "External Users" in the authentication config. This successfully authenticates me with LDAP, but since I don't match any groups, it just logs me in as Guest instead of Administrator. At least I can see LDAP working ...





While working with another vendor I had to configure that system to use a recursive LDAP search in order to get LDAP to work with the Microsoft Active Directory RBAC groups.


If this is possibly the same issue, is there a method to enable a recursive search on the F5.


If this is not likely the issue, what have I configured incorrectly that is preventing my users from authenticating with proper roles?

Any pointers would be appreciated as I need to get a working solution.


1 Reply

  • This issue was resolved via F5 supoport who advised me to modify the configuration in "remote role group" to add "memberOf=" in front of group name I entered in the attribute string field for the defined group. This allowed me to log in with a user in active directory was explicitly assigned to the group in question.


    Badd example:


    CN=F5Admins,OU=<myDomain> Users & Groups,DC=<myDomain>,DC=local


    Working example:


    memberOf=CN=F5Admins,OU=<myDomain> Users & Groups,DC=<myDomain>,DC=local


    I have however discovered that if you have this group in another nested group within Active Directory authentication still fails. From what I have researched the limited scope available in the LDAP configuration is lacking the "recursive" query option for LDAP.


    This document shows that even at the CLI configuration within TMSH the only options for query scope are:


    scope [base | one | sub]


    The good news is, this particular issue of group configuration has been resolved, but the new issue of nested group memberships is stillbroken to my knowledge.