Forum Discussion
NimbostratusHaving trouble configuring AD group authentication and authorization.
Hello , I am try to deploy AD authentication and privileges by AD group. The goal is no local user accounts.
F5 LTM V10.2.4
Here is the configuration which allows authentication but applies guest privilege (RO). I am sure that ADMIN_LTM_SUPPORT exists in AD and that I am a member of it. It would seem that I am being logged in as guest and not as an administrator associated with ADMIN_LTM_SUPPORT. If I change the auth type to "Remote Active Directory" , authentication fails as well. Our AD administrator indicates that the attributes associated with the group are the following:
ADMIN_LTM_SUPPORT,ou=Global,ou=Groups,dc=cguser,dc=company,dc=com
I'd welcome any suggestions for debugging this. I'm a newb when it comes to AD/LDAP. Thank you. -Jim
remote users { default role guest } remoterole { role info ADMIN_LTM_SUPPORT { attribute "memberOF=cn=grp-ADMIN_LTM_SUPPORT,ou=Global,ou=Groups,dc=cguser,dc=company,dc=com" console "enable" line order 1000 role "administrator" user partition "all" } }
auth ldap system-auth { service ldaps ssl enable search base dn "dc=capgroup,dc=com" bind dn "cn=grp-ADMIN_LTM_SUPPORT,ou=Global,ou=Groups,dc=cguser,dc=company,dc=com" login attr "uid" servers "ldap" }
1 Reply
David_LarsenEmployee
You need to validate that your F5 can resolve "ldap" to an IP address. In my configuration, which are similar, occasionally the F5 can't resolve a DNS name for the servers value. I have taken to uses an IP address that is actually a VIP on one of my load balancers. This makes it more specific what it is connecting to.
