Forum Discussion

Thong_196816's avatar
Icon for Nimbostratus rankNimbostratus
Jul 13, 2015

configure f5 login using AD



I need to configure to use AD account to login to the f5 configurations utility. I found an article for this


when select remote - active directory, questions: 1.) remote directory tree - what is the example of this parameter looks like ?


2.) for scope field, which options recommended ? SUB or BASE ?


if anyone configure this previously ? hope to share the settings..:) thank you


5 Replies

  • belows are the configurations, I cannot login using f5admin....


    System >> Authentication Authentication Source


    User Directory: Remote - Active Directory Host : 172.16.X.X Port: 389 Remote Directory Tree: OU=usergroup, OU=acme ,DC=labs.contoso,dc=com Scope: Sub Bind DN: cn=f5admin,OU=usergroup, OU=acme ,DC=labs.contoso,dc=com Check Member Attribute in Group: Enabled SSL: Disabled External Users: Role: Administrator


  • For what? The Bind operation, or as the user to log on to the BIG-IP with? If the former, try setting Scope to Base. Otherwise, you need just enough permissions on the Bind account to perform a query.


    In any case, try watching the LDAP traffic with a WireShark capture. LDAP is pretty verbose about its errors, so you should see what's going on inside the capture.


  • Looking back at previous posts, it looks like you're using the f5admin account as the Bind account. This is the account that logs into the AD and performs the query, so it needs enough permissions to do so.


    Are you also using this same account to attempt to log into the BIG-IP management GUI?


    In any case, the LTM log is just telling you that it failed. We know that. You really need to look at a WireShark capture of the LDAP traffic to see why it's failing.


  • If you can install WireShark anywhere, you can do a tcpdump from the BIG-IP and export it to WireShark:

    tcpdump -lnni 0.0 port 389 -s0 -w ad_capture.pcap

    This will listen on all interfaces for port 389 (LDAP) traffic, set snaplen to 0 so that tcpdump doesn't concatenate anything, and write this capture to a file. You can then scp this file to another machine and open it with WireShark.

  • hi @thong_196816 : kindly please let me know is this issue resolve. if yes can you please provide the resolution steps to this issue. currently i am at same issue facing. kindly please provide your solution. Thanks in advance.