How do you get Big-IQ to work with Active Directory for authentication?

First you must setup your LDAP authentication under BIG-IQ System. Docs for that are here: https://support.f5.com/kb/en-us/products/big-iq-centralized-mgmt/manuals/product/bigiq-central-mgmt-initial-setup-4-6-0/4.htmlunique_78898411

After your LDAP auth provider is setup, you can assign users and groups to roles here: https://support.f5.com/kb/en-us/products/big-iq-centralized-mgmt/manuals/product/bigiq-central-mgmt-device-4-6-0/9.htmlunique_1118044730

Hint, if the group search button does not populate a list of groups, you need to go back and edit your LDAP auth provider settings in step 1 above.

Hi Kyle. I've tried that, but I seem unable to get the correct settings for LDAP (my remote group list does not populate). Are there any examples of successful AD configurations that you know of? I'm guessing I have some of the fields wrong, like some of the search filters or attribute fields, and I'm sure they're probably the same for any AD implementation since they generally have the same structure and attributes, so I'm wondering if you have any examples of what goes into them?

Thanks guys. I appreciate the input, because this is pretty much what I had. I keep getting an "Unable to connect to LDAP provider" error on the login page, but when I use the ldapsearch command per sol11072 and sol15811 things work just fine. So since those commands work and I pretty much match what you guys have, I'm thinking this might be a bug in 4.6? I'm opening a support case with F5 and will report back if that turns out to be the case.

Symptoms are:

1. On the logon page on the GUI, receiving an "Unable to connect to LDAP provider", despite the ldapsearch command connecting fine.

2. I see the following in the restjavad.0.log:

   [root@bigiq.example.com:Active] log  tail -f restjavad.0.log
   [WARNING][8909][09 Dec 2015 16:22:46 UTC][8100/cm/system/authn/providers/ldap/47e4354d-73e8-43aa-b9ab-7d75f5e7b11a/login LdapProviderLoginWorker][completed] Unable to connect to LDAP provider 10.0.0.1
   [I][8910][09 Dec 2015 16:22:46 UTC][8100/shared/authn/login AuthnWorker][failed] User test_account failed to login using the https://localhost/mgmt/cm/system/authn/providers/ldap/47e4354d-73e8-43aa-b9ab-7d75f5e7b11a/login authentication provider
   

Any ideas?

a case is probably your best bet at this point.

Had the same issue this morning and figured it out.

When using the ldap search the syntax didn't match the boxes listed in the default settings.

To resolve it I changed the bind user to just be the username .... no CN= in front of it so it uses the username exactly like the ldapsearch command line.

Then I changed the search filter to (sAMAccountName={username}) .... after that it worked :)

Let me know if that helps.

In case of using ldaps. I can configure the SSL checkbox but where do I have to import the corresponding SSL certificate to communicate via ldaps?

Ok I had this exact issue today and have got this working with Active Directory groups on the BIG-IQ, my configuration is as follows:

Bind User: Required

Bind Password: Required

Root DN: DC=contoso,DC=com

Authentication Method: Simple

Search Scope: Subtree

Search Filter: (sAMAccountName={username})

User Display Name Attribute: displayName

Group Display Name Attribute: cn

Group Search Filter: (&(ObjectCategory=Group)(cn=F5*))

Group Membership Filter: (|(member={userDN})(uniqueMember={userDN}))

Note my groups contain F5 in the name which is referenced in the group search filter

Now go and create a user group selecting LDAP as the authentication method, in the remote group filter leave blank and select search this should populatea drop down box with all AD groups that match the criteria above, select the appropriate group and map a role and you should be able to login as long as the account is a member of the group.

Hopefully this helps someone