Forum Discussion

Stanislas_Piron's avatar
Stanislas_Piron
Icon for Nimbostratus rankNimbostratus
May 09, 2016

TMOS 11.5.4 Admin Remote Authentication with LDAP issue

Hi,

I am configuring Remote AD authentication for BigIP administrators.

I already done it for some other customers without issues.

The system authentication configuration is:

auth ldap system-auth {
    check-roles-group enabled
    login-attribute samaccountname
    search-base-dn DC=xxxxx,DC=local
    servers { 1.2.3.4 }
    user-template %s@xxxx.local
}

I tried by changing authentication to LDAP but the result is the same.

When trying to authenticate, I can see the request and response with tcpdump :

With ldapsearch I got the expected answer.

But the administrator is never authenticated and the following message appears in log files:

    [root@bigip:Active:Standalone] config  grep 24310 /var/log/audit
    May  9 14:00:55 bigip info sshd[24310]: 01070417:6: AUDIT - user root - RAW: pam_ldap initiating connection to non-SSL ldap server 1.2.3.4 on port 389.
    May  9 14:09:41 bigip info sshd[24310]: 01070417:6: AUDIT - user root - RAW: pam_ldap validating credentials for user 'admin_test' against non-SSL ldap server 1.2.3.4 on port 389.
    May  9 14:09:43 bigip info sshd[24310]: 01070417:6: AUDIT - user root - RAW: pam_ldap terminating connection to non-SSL ldap server 1.2.3.4 on port 389.
    May  9 14:09:43 bigip info sshd(pam_audit)[24310]: 01070417:6: AUDIT - user admin_test - RAW: sshd(pam_audit): User=admin_test tty=ssh host=1.1.1.1 failed to login after 1 attempts (start="Mon May  9 14:00:52 2016" end="Mon May  9 14:09:43 2016").
    [root@bigip:Active:Standalone] config  grep 24310 /var/log/secure
    May  9 14:09:41 bigip err sshd[24310]: pam_ldap: ldap_search_s Can't contact LDAP server
    May  9 14:09:41 bigip notice sshd[24310]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=1.1.1.1  user=admin_test
    May  9 14:09:43 bigip info sshd(pam_audit)[24310]: User=admin_test tty=ssh host=1.1.1.1 failed to login after 1 attempts (start="Mon May  9 14:00:52 2016" end="Mon May  9 14:09:43 2016").
    May  9 14:09:43 bigip info sshd(pam_audit)[24310]: 01070417:6: AUDIT - user admin_test - RAW: sshd(pam_audit): User=admin_test tty=ssh host=1.1.1.1 failed to login after 1 attempts (start="Mon May  9 14:00:52 2016" end="Mon May  9 14:09:43 2016").

Am I missing something or is there a bug in 11.5.4 HF1 version?

I am sure authentication from F5 to AD servers is working fine as the same AD servers are used by APM.

application delivery
BIG-IP
ldap authentication
TMOS
  • Yann_Desmarest's avatar
    Yann_Desmarest
    Icon for Cirrus rankCirrus
    May 12, 2016

    Hello,

     

    Is it possible that there is a password enforcement policy configured with a local authentication on the BIG-IP, and the password used by this user doesn't match the policy ?

     

    • Stanislas_Piro2's avatar
      Stanislas_Piro2
      Icon for Cumulonimbus rankCumulonimbus
      May 13, 2016
      Hi, there is no password policy In local authentication The AD server answers but TMOS is still waiting during 9 minutes.
  • Yann_Desmarest_'s avatar
    Yann_Desmarest_
    Icon for Nacreous rankNacreous
    May 12, 2016

    Hello,

     

    Is it possible that there is a password enforcement policy configured with a local authentication on the BIG-IP, and the password used by this user doesn't match the policy ?

     

    • Stanislas_Piro2's avatar
      Stanislas_Piro2
      Icon for Cumulonimbus rankCumulonimbus
      May 13, 2016
      Hi, there is no password policy In local authentication The AD server answers but TMOS is still waiting during 9 minutes.