Forum Discussion
Big-IQ LDAP User Bind Template
After digging some more, I found the info below. I confirmed with our AD team that the user ID is the separate sAMAccountName and can't be used with DN format so the only way we can use our username is with a UPN formatted template. According to the info below, support for UPN is supposed to be in 6.0 but we installed 6.1 and the UPN format is not supported in the GUI so I don't know what the deal is. I have that question into F5 and awaiting a response.
680899 : Support for UPN binding in Active Directory authentication providers
Component: REST Framework and TMOS Platform
Symptoms:
BIG-IQ 5.4 and earlier does not allow binding to Active Directory using the UPN (e.g., username@example.com), but only using the DN (cn=username,dc=example,dc=com).
Conditions:
Authentication.
Impact:
This is unwieldy and rather uncommon in an environment using an Active Directory domain controller. Moreover, we mandated using a dedicated bind account for both LDAP and AD authentication providers, which is not allowed in certain organizations.
Workaround:
Use a DN to bind to Active Directory
Fix:
BIG-IQ version 6.0.0 now includes support for binding to external Active Directory auth providers using a User Bind Template either in the User Principal Name (UPN) format, e.g., {username}@domainname.example.com, or in the Down-Level Logon Name format, e.g., domainname\{username}.
We also no longer require specifying a bind user to authenticate a user against an external LDAP or Active Directory authentication provider.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com