For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

mnb_63148's avatar
mnb_63148
Icon for Nimbostratus rankNimbostratus
May 08, 2014

ldapsearch string

Is anyone familiar with the correct syntax for an ldapsearch query? I am trying to set up Remote AD authentication on the LTM, but it is not working. When I run the ldapsearch string, it returns the following error,

 

ldap_bind: Invalid credentials (49) additional info: 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1.

 

The LDAP server administrator has verified that he can access the server using the same user ID/password that I am using. For my ldapsearch string, I have the following:

 

ldapsearch -H ldap://10.1.1.1 -x -D "cn=test\user1,dc=test,dc=com" -w "mypass"

 

Where 10.1.1.1 is the ldap server IP, test is the domain, com is the domain. The full domain is test.com. mypass is the password for the user1 ID.

 

Thanks,

 

2 Replies

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    May 09, 2014

    A few things:

    1. Try putting the password in single quotes. I've seen issues using the double quotes.

    2. It that really the DN of the bind user?

      cn=test\user1,dc=test,dc=com

    3. As a last resort, try the following format. I've used this successfully.

      ldapsearch -H ldap://x.x.x.x:y -x -b cn=users,dc=domain,dc=com -D user@domain.com -w 'PASSWORD' cn=myuser2
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    May 09, 2014

    Any idea how to perform an ldapsearch for secure LDAP that requires a root certificate? Or if not an ldapsearch, how to configure secure LDAP in the GUI?

    Command line LDAPS requires a minor change:

    -H ldaps://x.x.x.x:y

    For remote AD auth, if you can get the above LDAPS command linie to work, and you can do remote AD auth with LDAP 389, then in the GUI you should only have to:

    1. Change the port to 636

    2. Enable SSL

    3. Apply an SSL CA Certificate - this is the CA certificate that issued the server's cert. If there are multiple CA's in that path (ie. CA -> subordinate CA -> server), then you need all of the CAs in that path, copied in PEM (Base64) format to a text file, and then uploaded as a "bundle" cert.

    4. You only need the SSL client certificate and key if the server requires a client certificate from the client.