Forum Discussion
Ford_Prefect
Cirrus
CirrusLogin to Big-IP 14.1.2.3 and 15.0.1 Configuration utility via LDAP fails with nearly 50% probability
Greetings,
After update from Big-IP 14.0.0.3 remote LDAP authentication fails time to time using the same correct credentials (i.e. 3 negative responses and following 2 are positive). I've tried to change idle timeout with no luck. ldapsearch responds with 0 Success code. Sometimes it takes 5 attemptes before I am logged in.
/var/log/secure:
Mar 5 13:30:13 mybigip.com err httpd[31489]: pam_ldap(httpd:auth): error reading from nslcd: Connection reset by peer
Mar 5 13:30:13 mybigip.com warning httpd[31489]: pam_unix(httpd:auth): check pass; user unknown
Mar 5 13:30:13 mybigip.com notice httpd[31489]: pam_unix(httpd:auth): authentication failure; logname= uid=48 euid=48 tty= ruser= rhost=192.168.5.10
Mar 5 13:30:16 mybigip.com err httpd[31489]: [auth_pam:error] [pid 31489] [client 192.168.5.10:53225] AUTHCACHE PAM: user 'f5' (fallback: false) - not authenticated: Authentication failure, referer: https://192.168.5.5/tmui/login.jsp
Mar 5 13:30:16 mybigip.com info httpd(pam_audit)[31489]: User=f5 tty=(unknown) host=192.168.5.10 failed to login after 1 attempts (start="Thu Mar 5 13:30:13 2020" end="Thu Mar 5 13:30:16 2020").
Mar 5 13:30:16 mybigip.com info httpd(pam_audit)[31489]: 01070417:6: AUDIT - user f5 - RAW: httpd(pam_audit): User=f5 tty=(unknown) host=192.168.5.10 failed to login after 1 attempts (start="Thu Mar 5 13:30:13 2020" end="Thu Mar 5 13:30:16 2020").
nslcd in debug mode:
nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable
nslcd: [43a858] DEBUG: connection from pid=31489 uid=48 gid=48
nslcd: [43a858] <authc="f5"> DEBUG: nslcd_pam_authc("f5","httpd","***")
nslcd: [43a858] <authc="f5"> DEBUG: myldap_search(base="OU=admins,DC=mydomain,DC=com", filter="(&(sAMAccountName=*)(sAMAccountName=f5))")
nslcd: [43a858] <authc="f5"> DEBUG: ldap_result(): CN=f5,OU=admins,DC=mydomain,DC=com
nslcd: [43a858] <authc="f5"> DEBUG: myldap_search(base="CN=f5,OU=admins,DC=mydomain,DC=com", filter="(objectClass=*)")
nslcd: [43a858] <authc="f5"> DEBUG: ldap_initialize(ldap://mydomain.com:389)
nslcd: [43a858] <authc="f5"> DEBUG: ldap_set_rebind_proc()
nslcd: [43a858] <authc="f5"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [43a858] <authc="f5"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [43a858] <authc="f5"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,30)
nslcd: [43a858] <authc="f5"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,30)
nslcd: [43a858] <authc="f5"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,30)
nslcd: [43a858] <authc="f5"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [43a858] <authc="f5"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [43a858] <authc="f5"> DEBUG: ldap_simple_bind_s("CN=f5,OU=admins,DC=mydomain,DC=com","***") (uri="ldap://mydomain.com:389")
nslcd: [43a858] <authc="f5"> DEBUG: set_socket_timeout(30,500000)
nslcd: [43a858] <authc="f5"> DEBUG: ldap_result(): CN=f5,OU=admins,DC=mydomain,DC=com
nslcd: [43a858] <authc="f5"> DEBUG: set_socket_timeout(15,0)
nslcd: [43a858] <authc="f5"> DEBUG: ldap_unbind()
nslcd: [43a858] <authc="f5"> DEBUG: bind successful
nslcd: [43a858] <authc="f5"> DEBUG: myldap_search(base="OU=admins,DC=mydomain,DC=com", filter="(&(objectClass=shadowAccount)(uid=f5))")
nslcd: [43a858] <authc="f5"> DEBUG: ldap_result(): end of results (0 total)
nslcd: [1d5ae9] DEBUG: connection from pid=31489 uid=48 gid=48
nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable
nslcd: [1d5ae9] <get_attributes="f5"> DEBUG: nslcd_pam_get_attributes("f5","httpd","","192.168.5.10","","***")
nslcd: [1d5ae9] <get_attributes="f5"> DEBUG: myldap_search(base="OU=admins,DC=mydomain,DC=com", filter="(&(sAMAccountName=*)(sAMAccountName=f5))")
nslcd: [1d5ae9] <get_attributes="f5"> ldap_search_ext() failed: Can't contact LDAP server: Connection reset by peer
nslcd: [1d5ae9] <get_attributes="f5"> DEBUG: set_socket_timeout(15,0)
nslcd: [1d5ae9] <get_attributes="f5"> DEBUG: ldap_unbind()
nslcd: [1d5ae9] <get_attributes="f5"> DEBUG: "f5": user not found: Can't contact LDAP server
/var/log/httpd/httpd_errors
Mar 5 13:13:34 mybigip.com err httpd[31490]: [auth_pam:error] [pid 31490] [client 192.168.5.10:52914] AUTHCACHE PAM: user 'f5' (fallback: false) - not authenticated: Authentication failure, referer: https://192.168.5.5/tmui/login.jsp?msgcode=1&
/var/log/daemon.log
Mar 5 13:13:33 mybigip.com warning nslcd[3968]: [a2a8d4] <authc="f5"> ldap_search_ext() failed: Can't contact LDAP server: Connection reset by peer
Thank you in advance for help=)
The problem was hidden in empty LDAP user attributes, you need to fill each LDIF scheme user attribute with an appropriate value to bring authentication back to work. You should not leave any single attribute empty. https://cdn.f5.com/product/bugtracker/ID950153.html
Henric_PetterssI don't have a solution, but can confirm that we have the same problem, and our logs looks a lot like yours. I've notices there are many open bugs related to ldap login, so hopefully this will be fixed soon.
BeakerWe had the same issue but following this article we are no longer seeing the problem:
https://support.f5.com/csp/article/K72830550
tmsh modify auth ldap system-auth idle-timeout 295
Ford_PrefectThe problem was hidden in empty LDAP user attributes, you need to fill each LDIF scheme user attribute with an appropriate value to bring authentication back to work. You should not leave any single attribute empty. https://cdn.f5.com/product/bugtracker/ID950153.html