Forum Discussion
CirrusRemote Active Directory Authentication w/ e-mail address
Hello Guys, I came across a question from a customer today where we've configured Active Directory authentication for users login into the BIGIP. It is working perfectly with no problems. The customer question for me was if it would be possible to use the entire user's email address (DN) instead of only the username alone i.e: wguilherme@f5demo.com instead of only wguilherme. I have configured it on my lab and the authentication works fine, but not with the e-mail address. I tried different approaches but nothing made it work. See below my screenshots of my lab configuration. Do you know if it is possible?
Authentication
Remote Role Groups
Thank you very much
Willian Guilherme Vancouver - Canada
Hey Guys, thank you very much for your help. @nitass your configuration is perfect and worked like a charm. I initially used the following lines, but it did not work even with the userprincipalname because I had the"user-template" configured.
root@(bigip1)(cfg-sync Standalone)(Active)(/Common)(tmos) list auth ldap system-auth auth ldap system-auth { bind-dn cn=administrator,cn=users,dc=f5demo,dc=com bind-pw $M$Xz$R6vSMU6JwXX/2bq2Cksu/g== login-attribute userprincipalname search-base-dn cn=users,dc=f5demo,dc=com servers { 192.168.1.100 } user-template %s@f5demo.com
My new configuration is just like yours.The "User-Template" should be left blank otherwise it will make the BIGIP to use only the userid instead of the combination userid + DN.
Working configurtion root@(bigip1)(cfg-sync Standalone)(Active)(/Common)(tmos) list auth ldap system-auth auth ldap system-auth { bind-dn cn=administrator,cn=users,dc=f5demo,dc=com bind-pw $M$vD$R97Nbf7gLgGgbO44TBHByA== login-attribute userprincipalname search-base-dn cn=users,dc=f5demo,dc=com servers { 192.168.1.100 }
 Thank you very much fellows ;)
4 Replies
- nitass
Employee
this is mine.
config root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list auth ldap system-auth auth ldap system-auth { bind-dn cn=administrator,cn=users,dc=abc,dc=com bind-pw $M$g2$cTattFzOwB2DzL4ywm9bXQ== login-attribute userprincipalname search-base-dn cn=users,dc=abc,dc=com servers { 172.28.24.5 } } test login as: tasmania@abc.com Using keyboard-interactive authentication. Password: Last login: Wed Aug 20 19:31:05 2014 from 192.168.207.69 tasmania@abc.com@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) - boneyard
MVP
i think nitass pointed out the issue indeed William, you use Login LDAP attribute samaccountname and nitass uses userprincipalname. usually samaccountname is the old style login and userprincipalname the new style login.
Yann_DesmarestHello,
Your login attribute should be mail or alternatemail.
It depends on which attribute is used.
FYI : DN and email address are different things. DN is more subject (ex:CN) + Base DN
Willian_GuilherHey Guys, thank you very much for your help. @nitass your configuration is perfect and worked like a charm. I initially used the following lines, but it did not work even with the userprincipalname because I had the"user-template" configured.
root@(bigip1)(cfg-sync Standalone)(Active)(/Common)(tmos) list auth ldap system-auth auth ldap system-auth { bind-dn cn=administrator,cn=users,dc=f5demo,dc=com bind-pw $M$Xz$R6vSMU6JwXX/2bq2Cksu/g== login-attribute userprincipalname search-base-dn cn=users,dc=f5demo,dc=com servers { 192.168.1.100 } user-template %s@f5demo.com
My new configuration is just like yours.The "User-Template" should be left blank otherwise it will make the BIGIP to use only the userid instead of the combination userid + DN.
Working configurtion root@(bigip1)(cfg-sync Standalone)(Active)(/Common)(tmos) list auth ldap system-auth auth ldap system-auth { bind-dn cn=administrator,cn=users,dc=f5demo,dc=com bind-pw $M$vD$R97Nbf7gLgGgbO44TBHByA== login-attribute userprincipalname search-base-dn cn=users,dc=f5demo,dc=com servers { 192.168.1.100 }
 Thank you very much fellows ;)
