Forum Discussion

Venkatesh_96090's avatar
Venkatesh_96090
Icon for Nimbostratus rankNimbostratus
Jul 10, 2013

IRule for LDAP Authentication

Hello All,

 

Thank you in first place for choosing to help me. I am new to f5 and apologies if my question turns out to be too stupid.

 

All I am trying to do is authenticate APM users via LDAP server.

 

We basically use F5 edge gateway 10.2 with APM License, this is dedicated for extending SSL VPN access to our office network.

 

We have a LDAP server configured in our network and I want the users trying to login be authenticated by F5 APM against the LDAP server.

 

I have configured LDAP server under AAA, I have connection and access profile with access policy map(which calls ldap server to authenticate user and based on auth result give a msg box that auth passed or failed)

 

Login--->[LDAP AUTH]----MSGbox passed or MSGbox failed

 

Should I write a irule on the VS instance ive created for redirecting auth to LDAP ?

 

Could any one please give me a sample iRule to contact the auth server?

 

 

Currently I get

 

[admin@cscsslodc001-r:Active] ~ more /var/log/apm | grep user1

 

Jul 10 11:12:32 local/cscsslodc001-r notice apd[14484]: 01490010:5: 55ea4810: Username 'user1'

 

Jul 10 11:12:32 local/cscsslodc001-r err apd[14484]: 01490110:3: 55ea4810: LDAP module: authentication with 'sAMAccountName=user1' failed in ldap_simple_bind_s(): Can't contact LDAP server (-1)

 

 

I have captured tcp dump and I see NO packets leaving the f5 interface towards LDAP server however the logs says the server is unreachable.

 

I am unsure if I am missing something else or its just I need to write a iRule for catching the auth request and send it to server.

 

 

Any advise help assistance would be highly appreciated :)

 

 

Thank you :)

 

Venkatesh

 

application delivery
dev
devops
iRules

3 Replies

Sort By
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Jul 10, 2013

    The issue appears to be in the LDAP AAA configuration. Are you using a host name for the server, and if so is it resolvable? Can the BIG-IP reach the LDAP server via the required LDAP port (usually 389 or 636)?

     

     

    You can test access to the LDAP server from the management shell with the ldapsearch command. Example:

     

     

     

    ldapsearch -H ldap://10.70.0.1:389 -x -b cn=users,dc=mydomain,dc=com -D administrator@mydomain.com -w [password] [search criteria ex. cn=bob]

     

     

    You need to be able to see LDAP traffic leave the BIG-IP for the LDAP server. I'd start with that before troubleshooting anything else.

     

  • Venkatesh_96090's avatar
    Venkatesh_96090
    Icon for Nimbostratus rankNimbostratus
    Jul 11, 2013

    Hello Kevin,

     

    Thank you for response.

     

     

    Looks like I had some VS redirect broken and ive fixed that.

     

    Now I get this:

     

    Thu Jul 11 14:33:29 GMT 2013 err 01490110 LDAP module: authentication with 'sAMAccountName=user1' failed in ldap_initialize(): Bad parameter to an ldap routine, URI: ldap://2620:0:a10:f501:0:6:f5d:a801:389 (-9)

     

     

    And I did try the LDAP Serach however my ldap server is configured on a different routedomain/partition than that of base route domain/default partition.

     

    I have tried using both IP and IP%Rt-domain-id

     

     

    ldapsearch -xLLL -H ldap://x.x.x.x:389 -b ou=users,ou=test,dc=test,dc=test,dc=com -D cn=dnadmin,ou=dnadmins,ou=admin,dc=test,dc=com -w trialpass cn=user1

     

    on using the above I just get nothing dunno if its running something in bkground however I left it run for 10 mins nothing came back so I used ctrl c to break

     

     

    also tried x.x.x.x%2:389 as my aaa ldap server is on 2nd route domain then I get

     

    ldap_bind: Can't contact LDAP server (-1)

     

     

    Note: the monitors configured shows the ldap server memebers are available and shows green, i have also tried to bypass vs and configured the actual ldap server on the aaa server under the concerned partition still Im unable to get this working :(

     

     

    Please advise

     

     

    Thank you :)

     

    Venkatesh

     

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Jul 11, 2013
    Interesting. There was some rumbling about some AAA services not supporting route domains, but not sure where that stands.

     

     

    Try this: create a simple IPv4 port 389 VIP that sends traffic to port 389 pool members (your LDAP servers in another RD). Try pointing your ldapsearch to that VIP and capture any LDAP traffic leaving the box.