Forum Discussion
NimbostratusIssue Using Remote LDAP Authentication
I configured BIG-IP to access LDAP users following the official tutorial (http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-implementations-11-3-0/31.html) but when it displays the website authentication and entry correct credentials, BIG-IP manages logon credentials with the LDAP server correctly (I checked with pcap capture), but requests credentials again. When I again entered the correct credentials, the process is the same and I can not log on to the page.
You can see the negotiation between the BIG-IP server and the LDAP is correct in this image: https://docs.google.com/file/d/0B83010gTagQXRjJaWlk1NUxsVVk/edit?usp=sharing, so I do not know why BIG-IP request credentials every time.
I have used "ldapsearch" command from SSH console to check authentication proccess and I can see conection was success and credentials are correctly (you can see output command in "query_from_ldapsearch2.txt" file I have attached).
Thank you very much in advance.
Kind regards.
11 Replies
- nitass
Employee
do you have pcap which captures both application and ldap traffic? just wondering if there are multiple tcp connections. 
pcastagnaro_709Dear nitass,
I have no a ldap traffic. If you think you need that, I could capture this traffic. Just tell me if you need it.
- Kevin_Stewart
What happens if you apply the default _sys_auth_ldap iRule to the LDAP auth profile?
Also try this - edit the existing iRule and add a log statement to your AUTH_RESULT event:when AUTH_RESULT {
log local0. "AUTH status = [AUTH::status]"
if { [AUTH::status] != 0 } {
HTTP::respond 401
} else {
HTTP::release
}
}
- nitassI have no a ldap traffic. If you think you need that, I could capture this traffic. Just tell me if you need it.sorry i think it is not the case. i just notice there is only one 3 way handshake, so it should not be multiple tcp connections.
- nitasscan you try "login-attribute" setting in conector_con_AD?
this is my testing. tasmania is web user.root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) show sys version|grep -A 5 Main\ Package Main Package Product BIG-IP Version 11.3.0 Build 3022.0 Edition Hotfix HF3 Date Fri Feb 22 00:00:34 PST 2013 root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm virtual bar ltm virtual bar { auth { Perfil_AD } destination 172.28.20.16:80 ip-protocol tcp mask 255.255.255.255 pool foo profiles { http { } tcp { } } source 0.0.0.0/0 source-address-translation { type automap } vlans-disabled } root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm auth profile Perfil_AD ltm auth profile Perfil_AD { app-service none configuration conector_con_AD credential-source http-basic-auth defaults-from ldap rule AUTH_LDAP_URL_v1 type ldap } root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm auth ldap conector_con_AD ltm auth ldap conector_con_AD { bind-dn cn=administrator,cn=users,DC=abc,DC=com bind-pw password login-attribute sAmAccountName search-base-dn cn=users,DC=abc,DC=com servers { 172.28.20.20 } } root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm rule AUTH_LDAP_URL_v1 ltm rule AUTH_LDAP_URL_v1 { when CLIENT_ACCEPTED { set tmm_auth_ldap_sid [AUTH::start pam default_ldap] } when HTTP_REQUEST { if {[HTTP::uri] equals "/"} { AUTH::username_credential $tmm_auth_ldap_sid [HTTP::username] AUTH::password_credential $tmm_auth_ldap_sid [HTTP::password] AUTH::authenticate $tmm_auth_ldap_sid HTTP::collect } } when AUTH_RESULT { if {[AUTH::status] != 0} { HTTP::respond 401 } else { HTTP::release } } } tcpdump No. Time Delta Time Source Src port Destination Protocol Dst port Window BiF Vlan id Length Info 1 2013-05-04 16:55:05.469994 0.000000 00:00:00_00:00:00 00:00:00_00:00:00 0x05ff 156 Ethernet II 2 2013-05-04 16:55:15.106749 9.636755 172.28.20.11 45448 172.28.20.20 TCP 389 14600 4094 157 OUT s0/tmm1 : 45448 > 389 [SYN] Seq=3089723857 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=1858114978 TSecr=0 WS=128 3 2013-05-04 16:55:15.108900 0.002151 172.28.20.20 389 172.28.20.11 TCP 45448 64240 4094 161 IN s0/tmm1 : 389 > 45448 [SYN, ACK] Seq=89577447 Ack=3089723858 Win=64240 Len=0 MSS=1460 WS=1 TSval=0 TSecr=0 SACK_PERM=1 4 2013-05-04 16:55:15.110082 0.001182 172.28.20.11 45448 172.28.20.20 TCP 389 14720 4094 149 OUT s0/tmm1 : 45448 > 389 [ACK] Seq=3089723858 Ack=89577448 Win=14720 Len=0 TSval=1858114982 TSecr=0 5 2013-05-04 16:55:15.110090 0.000008 172.28.20.11 45448 172.28.20.20 LDAP 389 14720 61 4094 210 OUT s0/tmm1 : bindRequest(1) "cn=administrator,cn=users,DC=abc,DC=com" simple 6 2013-05-04 16:55:15.112710 0.002620 172.28.20.20 389 172.28.20.11 LDAP 45448 64179 22 4094 171 IN s0/tmm1 : bindResponse(1) success 7 2013-05-04 16:55:15.113013 0.000303 172.28.20.11 45448 172.28.20.20 TCP 389 14720 4094 149 OUT s0/tmm1 : 45448 > 389 [ACK] Seq=3089723919 Ack=89577470 Win=14720 Len=0 TSval=1858114985 TSecr=51647361 8 2013-05-04 16:55:15.113341 0.000328 172.28.20.11 45448 172.28.20.20 LDAP 389 14720 76 4094 225 OUT s0/tmm1 : searchRequest(2) "cn=users,DC=abc,DC=com" wholeSubtree 9 2013-05-04 16:55:15.114853 0.001512 172.28.20.20 389 172.28.20.11 LDAP 45448 64103 1412 4094 1561 IN s0/tmm1 : searchResEntry(2) "CN=tasmania,CN=Users,DC=abc,DC=com" | searchResDone(2) success [1 result] 10 2013-05-04 16:55:15.119586 0.004733 172.28.20.11 45448 172.28.20.20 LDAP 389 17536 56 4094 205 OUT s0/tmm1 : bindRequest(3) "CN=tasmania,CN=Users,DC=abc,DC=com" simple 11 2013-05-04 16:55:15.121659 0.002073 172.28.20.20 389 172.28.20.11 LDAP 45448 64047 22 4094 171 IN s0/tmm1 : bindResponse(3) success 12 2013-05-04 16:55:15.122278 0.000619 172.28.20.11 45448 172.28.20.20 LDAP 389 17536 61 4094 210 OUT s0/tmm1 : bindRequest(4) "cn=administrator,cn=users,DC=abc,DC=com" simple 13 2013-05-04 16:55:15.124744 0.002466 172.28.20.20 389 172.28.20.11 LDAP 45448 63986 22 4094 171 IN s0/tmm1 : bindResponse(4) success 14 2013-05-04 16:55:15.164996 0.040252 172.28.20.11 45448 172.28.20.20 TCP 389 17536 4094 149 OUT s0/tmm1 : 45448 > 389 [ACK] Seq=3089724112 Ack=89578926 Win=17536 Len=0 TSval=1858115037 TSecr=51647361 - pcastagnaro_709Posted By Kevin Stewart on 05/03/2013 02:44 PM
What happens if you apply the default _sys_auth_ldap iRule to the LDAP auth profile?
Also try this - edit the existing iRule and add a log statement to your AUTH_RESULT event:when AUTH_RESULT {
log local0. "AUTH status = [AUTH::status]"
if { [AUTH::status] != 0 } {
HTTP::respond 401
} else {
HTTP::release
}
}
Dear Kevin Stewart,If I apply the default _sys_auth_ldap iRule to the LDAP auth profile, it applies LDAP auth into all site and I want to set authentication only in a specific path. I read a tutorial which sais the following iRule works great with my specific path:
when CLIENT_ACCEPTED {
set tmm_auth_ldap_sid [AUTH::start pam default_ldap]
}
when HTTP_REQUEST {
if {[HTTP::uri] contains "myFolder/myPage.action"} {
AUTH::username_credential $tmm_auth_ldap_sid [HTTP::username]
AUTH::password_credential $tmm_auth_ldap_sid [HTTP::password]
AUTH::authenticate $tmm_auth_ldap_sid
HTTP::collect
}
}
when AUTH_RESULT {
if {[AUTH::status] != 0} {
HTTP::respond 401
} else {
HTTP::release
}
}
With this iRule, LDAP server accepts credentials but it falls into a loop.
I tried the default _sys_auth_ldap iRule but it falls into the same loop. Unique difference between both is that default rule applies auth to all the site and custom iRule applies auth to a specific path, but both fall into the same loop.
What does log local0. "AUTH status = [AUTH::status]" line?
I set this option as you said but I obtain same result.
Anyway thank you very much for your time and your dedication.
I have not idea what or where is the problem.
- Kevin_StewartThe log statement just shows what the AUTH status result is for troubleshooting. I would suggest that if you can get the default _sys_auth_ldap iRule to work in your environment, then it can be modified to support your per-URI requirement. Can you post your config?
- pcastagnaro_709Posted By Kevin Stewart on 05/16/2013 01:23 PM
The log statement just shows what the AUTH status result is for troubleshooting. I would suggest that if you can get the default _sys_auth_ldap iRule to work in your environment, then it can be modified to support your per-URI requirement. Can you post your config?
Dear Kevin Stewart,Where BIG-IP stores the auth log? I searched it using "find local0" through SSH but it did not show anything.
I am using default _sys_auth_ldap now but it did not resolve the issue. I just added following lines (both in bold) to apply auth only to a specific path and in order to log as you said. You can see complete iRule in attachments:
when HTTP_REQUEST {
if {[HTTP::uri] contains "myFolder/myPage.action"} {
set tmm_auth_sid [AUTH::start pam default_ldap]
(...)
when AUTH_RESULT {
log local0. "AUTH status = [AUTH::status]"
if {not [info exists tmm_auth_http_sids(ldap)] or \
(...)
This is my auth profile active:
ltm auth profile /Common/Perfil_AD {
app-service none
configuration /Common/conector_con_AD
credential-source http-basic-auth
defaults-from /Common/ldap
enabled yes
idle-timeout 300
rule /Common/AUTH_LDAP_URL_v1
type ldap
}
And this is my configuration:
ltm auth ldap /Common/conector_con_AD {
bind-dn "CN=myUser,OU=FUNCIONES,OU=SISTEMAS,OU=SEDE,DC=mydomain,DC=com,DC=ar"
bind-pw myPassword
check-host-attr enabled
debug enabled
search-base-dn "OU=FUNCIONES,OU=SISTEMAS,OU=SEDE,DC=mydomain,DC=com,DC=ar"
servers { 19X.1XX.XX.1XX }
}
With this overall configuration, auth falls into a loop :(
PD: Thank you very much for your active help and you dedication
- pcastagnaro_709Posted By nitass on 05/04/2013 02:20 AM can you try "login-attribute" setting in conector_con_AD? this is my testing. tasmania is web user.
Dear nitass,root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) show sys version|grep -A 5 Main\ Package Main Package Product BIG-IP Version 11.3.0 Build 3022.0 Edition Hotfix HF3 Date Fri Feb 22 00:00:34 PST 2013 root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm virtual bar ltm virtual bar { auth { Perfil_AD } destination 172.28.20.16:80 ip-protocol tcp mask 255.255.255.255 pool foo profiles { http { } tcp { } } source 0.0.0.0/0 source-address-translation { type automap } vlans-disabled } root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm auth profile Perfil_AD ltm auth profile Perfil_AD { app-service none configuration conector_con_AD credential-source http-basic-auth defaults-from ldap rule AUTH_LDAP_URL_v1 type ldap } root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm auth ldap conector_con_AD ltm auth ldap conector_con_AD { bind-dn cn=administrator,cn=users,DC=abc,DC=com bind-pw password login-attribute sAmAccountName search-base-dn cn=users,DC=abc,DC=com servers { 172.28.20.20 } } root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm rule AUTH_LDAP_URL_v1 ltm rule AUTH_LDAP_URL_v1 { when CLIENT_ACCEPTED { set tmm_auth_ldap_sid [AUTH::start pam default_ldap] } when HTTP_REQUEST { if {[HTTP::uri] equals "/"} { AUTH::username_credential $tmm_auth_ldap_sid [HTTP::username] AUTH::password_credential $tmm_auth_ldap_sid [HTTP::password] AUTH::authenticate $tmm_auth_ldap_sid HTTP::collect } } when AUTH_RESULT { if {[AUTH::status] != 0} { HTTP::respond 401 } else { HTTP::release } } } tcpdump No. Time Delta Time Source Src port Destination Protocol Dst port Window BiF Vlan id Length Info 1 2013-05-04 16:55:05.469994 0.000000 00:00:00_00:00:00 00:00:00_00:00:00 0x05ff 156 Ethernet II 2 2013-05-04 16:55:15.106749 9.636755 172.28.20.11 45448 172.28.20.20 TCP 389 14600 4094 157 OUT s0/tmm1 : 45448 > 389 [SYN] Seq=3089723857 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=1858114978 TSecr=0 WS=128 3 2013-05-04 16:55:15.108900 0.002151 172.28.20.20 389 172.28.20.11 TCP 45448 64240 4094 161 IN s0/tmm1 : 389 > 45448 [SYN, ACK] Seq=89577447 Ack=3089723858 Win=64240 Len=0 MSS=1460 WS=1 TSval=0 TSecr=0 SACK_PERM=1 4 2013-05-04 16:55:15.110082 0.001182 172.28.20.11 45448 172.28.20.20 TCP 389 14720 4094 149 OUT s0/tmm1 : 45448 > 389 [ACK] Seq=3089723858 Ack=89577448 Win=14720 Len=0 TSval=1858114982 TSecr=0 5 2013-05-04 16:55:15.110090 0.000008 172.28.20.11 45448 172.28.20.20 LDAP 389 14720 61 4094 210 OUT s0/tmm1 : bindRequest(1) "cn=administrator,cn=users,DC=abc,DC=com" simple 6 2013-05-04 16:55:15.112710 0.002620 172.28.20.20 389 172.28.20.11 LDAP 45448 64179 22 4094 171 IN s0/tmm1 : bindResponse(1) success 7 2013-05-04 16:55:15.113013 0.000303 172.28.20.11 45448 172.28.20.20 TCP 389 14720 4094 149 OUT s0/tmm1 : 45448 > 389 [ACK] Seq=3089723919 Ack=89577470 Win=14720 Len=0 TSval=1858114985 TSecr=51647361 8 2013-05-04 16:55:15.113341 0.000328 172.28.20.11 45448 172.28.20.20 LDAP 389 14720 76 4094 225 OUT s0/tmm1 : searchRequest(2) "cn=users,DC=abc,DC=com" wholeSubtree 9 2013-05-04 16:55:15.114853 0.001512 172.28.20.20 389 172.28.20.11 LDAP 45448 64103 1412 4094 1561 IN s0/tmm1 : searchResEntry(2) "CN=tasmania,CN=Users,DC=abc,DC=com" | searchResDone(2) success [1 result] 10 2013-05-04 16:55:15.119586 0.004733 172.28.20.11 45448 172.28.20.20 LDAP 389 17536 56 4094 205 OUT s0/tmm1 : bindRequest(3) "CN=tasmania,CN=Users,DC=abc,DC=com" simple 11 2013-05-04 16:55:15.121659 0.002073 172.28.20.20 389 172.28.20.11 LDAP 45448 64047 22 4094 171 IN s0/tmm1 : bindResponse(3) success 12 2013-05-04 16:55:15.122278 0.000619 172.28.20.11 45448 172.28.20.20 LDAP 389 17536 61 4094 210 OUT s0/tmm1 : bindRequest(4) "cn=administrator,cn=users,DC=abc,DC=com" simple 13 2013-05-04 16:55:15.124744 0.002466 172.28.20.20 389 172.28.20.11 LDAP 45448 63986 22 4094 171 IN s0/tmm1 : bindResponse(4) success 14 2013-05-04 16:55:15.164996 0.040252 172.28.20.11 45448 172.28.20.20 TCP 389 17536 4094 149 OUT s0/tmm1 : 45448 > 389 [ACK] Seq=3089724112 Ack=89578926 Win=17536 Len=0 TSval=1858115037 TSecr=51647361I set sAmAccountName in login-attribute, but I had the same result.
- nitassWhere BIG-IP stores the auth log? I searched it using "find local0" through SSH but it did not show anything.have you checked /var/log/ltm?
