For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Mark_Cloutier's avatar
Mark_Cloutier
Icon for Nimbostratus rankNimbostratus
Jul 14, 2015

How to do an AD query sending UPN to AD, and have AD return the "short" name that I can use to authenticate against ldap with

LTM version 11.5.1 HF8   I currently have an APM access policy, deployed from Exchange iapp template version 1.4, which I modified to authenticate against LDAP, rather than direct to AD. User ent...
BIG-IP Access Policy Manager (APM)
design
devops
iApps
microsoft
security
mikeshimkus_111's avatar
mikeshimkus_111
Historic F5 Account
Jul 14, 2015

Hi Mark, Walter is right, although we've found that the APM LDAP Query action works best for this. You need to set up a query against your AAA server where the search filter is (sAMAccountName=%{session.logon.last.username}) and the required attributes are distinguishedName, sAMAccountName, and userPrincipalName. The searchDN should be the base OU where the users are located.

 

Then, you use a Variable Assign action to set the required variables:

 

Variable: session.logon.last.domain

 

Expression: expr { [string toupper [string map -nocase {,dc= .} [string range [mcget {session.ldap.last.attr.distinguishedName}] [expr [string first ",DC=" [mcget {session.ldap.last.attr.distinguishedName}] 0] +4] end ] ] ]}

 

Variable: session.logon.last.username

 

Expression: mcget {session.ldap.last.attr.sAMAccountName}

 

Mark_Cloutier's avatar
Mark_Cloutier
Icon for Nimbostratus rankNimbostratus
Jul 14, 2015
Just to confirm, the AAA server I run this LDAP query against has to be one of the AD servers right? The Oracle Access Manager LDAP server that I use for authentication doesn't know anything about UPN, hence the dilemma. Please be patient with an experienced LTM guy, who is very inexperienced with APM, LDAP and AD :) Mark