Forum Discussion
NimbostratusConfiguring Active Directory Authentication for BIG-IP Configuration Utility
So far, I haven't been able to get it to work. It would be great if someone could share an example of a working config. Here's what I have:
System >> Authentication
Authentication Source
User Directory: Remote - Active Directory
Configuration
Host: 192.168.xxx.xxx
Port: 389
Remote Directory Tree: OU=AppHosting,OU=Employees,OU=DPO Users,DC=dpo,DC=net
Scope: Base
Bind DN: administrator@dpo.net
User Template: %s@dpo.net
SSL: not enabled
All the accounts for users who need to log on are contained in the AppHosting OU. I also have the Other External Users' Web User Role set to Administrator.
Thanks for your help!
5 Replies
smp_86112Cirrostratus
Hi. I spent quite a lot of time on this, and in the end was successful. I am running 6400s (9.3.1) and 5100s (9.1.2). I also got this to work with a couple of GTMs.
It looks to me like you are very close. I think the "Bind DN" value is tripping you up. Try changing that value to the Distinguished Name of the "administrator@dpo.net" account: i.e CN=administrator,OU=AppHosting,OU=Employees,OU=DPO Users,DC=dpo,DC=net
Your use of the User Template is interesting. I haven't used this value myself. I read the help more closely, and it is not very clear about this means or how its used. For example, the first line in the Help isDisplays the distinguished name of the user who is logging on
, which implies to me that it is only used for display purposes somewhere (of course it doesn't indicate where). Then in the next sentence, a conflict appears with the display-only implication:and passes that as the distinguished name for the bind operation
. This dialog box and associated help is totally unclear to me. It would be great if someone could clarify. However I got it to work without using a User Template value.
ZacMatic_101240I tried your suggestion for the "Bind DN" value, and I removed the "User Template" value, but I still can't log on to the Configuration Utility using my AD credentials. One of my coworkers called F5 for support, but the tech he talked to said this was an "implementation issue," which is therefore only addressed by a consultant. Pretty frustrating!- ZacMatic_101240Good news: we got it working. For whatever reason, the built-in administrator account wasn't working. I made a new domain admin account to use for the LDAP query binding, and now everything works as expected.
StacyAnn_257051Altostratus
I had the same issue and this link helped me, the trick is to add a group with the same exact name of your active directory group under Remote Role Groups, when adding the attribute string be sure to use memberOf=. this link also provides some good information. https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/tmos-implementations-11-1-0/16.html
RickMAbove where you have "Scope: Base" this was giving me problems, I had specified the OU where the users are listed, but it did not work until I changed it to "sub".
Some troubleshooting tips I ran across while setting this up -- if you capture the LDAP traffic with TCPDUMP, read the cap with Wireshark and it will show you the LDAP conversation and you can see the errors - so helpful.
Another tool is LDP.EXE which I found was already on my domain controller. With this tool, you can perform the simple bind, to validate your bind DN and password, and also you can run the search - to validate that part of your configuration. You'll enter the same DN for your search base, and pick the same Base/Sub selection, then configure the search filter as (samaccountname=testuser). You'll be able to see the results immediately.
![\"F5](\"https://www.f5.com/content/dam/f5/f5-logo.svg\"){kind=logo}
