client authentication with Active Directory LDAP ???

I've searched these forums, the F5 docs, and Google but am coming up empty. Also, hopefully this is enough on topic to not get deleted, but based on my searches it appears others have struggled with this as well, yet there are no clear answers... Has anyone successfully configured Active Directory and LTM to perform client authentication? (ie not LTM mgmt users, but web clients via iRules with an authentication config and profile)

 

 

Everything I try is failing, and am not sure if it is a LTM config issue, or if specific permissions are needed for the bind account in AD. Unfortunately I do not have domain admin rights so need to ask someone else to make changes to the bind account permissions, and do not know which specific AD setting to request.

 

 

I have set up similar configurations with Novell eDirectory and OpenLDAP and it was a snap, but something about the way AD works appears to be different.

 

 

Network routes and firewall rules have been verified with ldapsearch from the LTM console.

 

Have tried both the single domain LDAP on tcp/389 as well as the AD Global Catalog tcp/3268.

 

Have tried various formats for Bind DN and the client user name as passed from the iRule: cn=binduser,ou=users,dc=domain,dc=com; binduser@domain.com; binduser; domain\binduser.

 

Have tried various fields for login atribute: CN, DN, userPrincipalName, sAMAccountName

 

 

Any assistance is greatly appreciated.