For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

mr_evil_116524's avatar
mr_evil_116524
Icon for Nimbostratus rankNimbostratus
Mar 26, 2014

Integrate F5 with AD as per user group

Hi There,

 

I am trying to integrate F5 with ad however it doesnt work when I specify a specific user group please see below:

 

User Directory Remote - Active Directory

 

Host 10.10.xxx.xxx Port 389

 

Remote Directory Tree CN=test - F5 Access,OU=test Access Groups,OU=test,OU=test Staff,DC=test,DC=local Scope Sub

 

Bind DN: CN=F5 AD Integration,CN=Users,DC=test,DC=local Check Member Attribute in Group Disabled SSL Disabled

 

Login LDAP Attribute samaccountname

 

Role Administrator

 

Terminal Access tmsh

 

Where - test - F5 Access is a group

 

what does work though as follows:

 

Host 10.10.xxx.xxx Port 389

 

Remote Directory Tree OU=test,OU=testStaff,DC=test,DC=local Scope Sub

 

Bind DN: CN=F5 AD Integration,CN=Users,DC=test,DC=local Check Member Attribute in Group Disabled SSL Disabled

 

Login LDAP Attribute samaccountname

 

Role Administrator

 

Terminal Access tmsh

 

where - F5 AD Integration is an user

 

Can someone please let me know what I am doing wrong?

 

Thanks

 

4 Replies

  • gbbaus_104974's avatar
    gbbaus_104974
    Historic F5 Account
    Mar 26, 2014

    Well for starters there are spaces in the one that does not work, and no spaces in the names structure that does work.

     

    Maybe you can create your groups without spaces in the names, or use underscores (_)

     

    ?? test and see if that helps ??

     

    • mr_evil_116524's avatar
      mr_evil_116524
      Icon for Nimbostratus rankNimbostratus
      Mar 27, 2014
      Have tried that doesnt work .... Something tells me I will only need to use OU and not actual user group which is a pain ...... could be wrong tho
  • gbbaus_104974's avatar
    gbbaus_104974
    Historic F5 Account
    Mar 27, 2014

    Maybe connect tot he AD with a tool like "LDAP Admin" and see the naming convention of the groups you create.

     

    I have a feeling it will start with "OU", eg:

     

    OU=test - F5 Access,OU=test Access Groups,OU=test,OU=test Staff,DC=test,DC=local

     

  • mr_evil_116524's avatar
    mr_evil_116524
    Icon for Nimbostratus rankNimbostratus
    Apr 13, 2014

    The way to do this by following the articles below :

     

    Please also have a look at the DevCentral example of controlling user access using AD groups:

     

    https://devcentral.f5.com/articles/remote-authorization-via-active-directory.UzSBt4V2p8E

     

    and the manual section on "Assigning access control properties to user groups" in

     

    http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/tmos-implementations-11-1-0/16.html