For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

_NAME_3's avatar
_NAME_3
Icon for Nimbostratus rankNimbostratus
Mar 17, 2014

LDAP Auth Help

I am trying to configure LDAP for user login to manage my devices. I have already setup my LTM on my internal network and its working as I would expect by using http://support.f5.com/kb/en-us/solutions/public/11000/000/sol11072.html . I am now trying to configure my GTM in my DMZ and it does not appear to be working.

 

Both my LTM and GTM have mgmt. ports on the same subnet and they both have the same sys management-route configured. I noticed that my GTM was unable to resolve my LDAP hostname so I tried to use the IP address of one of my directory servers which also didn't work. I can ping my directory servers IP address on my LTM however my GTM I am unable to ping them. I am wondering if the LDAP auth is not using the MGMT port, if so that would explain why it was unable to access my directory servers.

 

How can I verify what port my LDAP lookup are using?

 

BIG-IP Access Policy Manager (APM)
management
security

3 Replies

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Mar 18, 2014

    The LDAP queries should by default be using port 389 (or 636 for LDAPS). You can observe the queries by doing a tcpdump on the interface you think it should be leaving, or all interfaces using the "-i 0.0" syntax.

    tcpdump -lnni 0.0 port 389 or port 636

    That said, if you cannot ping the the directory server, you may have a routing issue. Try to ping it and do the tcpdump. Do you see ICMP traffic on the wire?

  • _NAME_3's avatar
    _NAME_3
    Icon for Nimbostratus rankNimbostratus
    Mar 18, 2014

    Kevin,

     

    Thanks for your help, I just did the capture for LDAP ports and it appears that the LDAP queries are in deed going out the DMZ interface which can not communicate with my internal LAN. I have the MGMT IP and Route in place, I don't understand why its using the DMZ interface for LDAP shouldn't it use the MGMT interface?.

     

    I only have 2 routes setup on this box. The mgmt. interface that I just confirmed is in place with tmsh list /sys management-route and the default route in TMM under Network / Routes.

     

    I will test adding another route in TMM to see if I can force the traffic over to the mgmt. interface, it just seems like this is not a good idea.......

     

  • _NAME_3's avatar
    _NAME_3
    Icon for Nimbostratus rankNimbostratus
    Mar 21, 2014

    After more digging I needed a secondary management route on my device. My LTM's didn't need them and the traffic routed as expected out the MGMT interface. I understand that my GTMs need the route and why, but my LTM's sent me down the wrong road.

     

    Thanks for your help. For anyone else's reference check this URL http://support.f5.com/kb/en-us/solutions/public/13000/200/sol13284.html