Forum Discussion

NetAdminCoop_36's avatar
NetAdminCoop_36
Icon for Nimbostratus rankNimbostratus
May 17, 2018

Unable to use LDAP for Administrator Login to our LTM

Hello:

 

I need to configure LDAP for administrators to log into the management interface of our LTM (BIG-IP 12.1.2 Build 1.0.271 Hotfix HF1). I have followed several articles on this but no luck.

 

But so far nothing I have done is getting this to work. If I log out of the local admin account on my appliance and try to login with my network credentials, I can see the event hit my domain controller for the LDAP bind of the F5 service account, but the login always fails with no details surrounding why. I have tried enabling external users as admin for testing purposes and I even set up a remote role group that checks an AD group membership and grants Admin rights to those users but still no luck. Any thoughts?

 

BIG-IP
LTM
security
  • NetAdminCoop_36's avatar
    NetAdminCoop_36
    Icon for Nimbostratus rankNimbostratus
    May 17, 2018

    Here is some deployment info:

     

    User DirectoryRemote - Active Directory HostIP ADDRESS OF DOMAIN CONTROLLER Port389 Remote Directory TreeDC=XXXXX,DC=XXXXX,DC=XXXXX ScopeBase Bind DN:DN OF SERVICE ACCOUNT Check Member Attribute in GroupEnabled SSLDisabled Login LDAP Attributesamaccountname External Users RoleNo Access Partition AccessAll Terminal AccessDisabled

     

  • Peter_Baumann's avatar
    Peter_Baumann
    Icon for Cirrostratus rankCirrostratus
    May 18, 2018
    Example of a working config with Active Directory
    • You need to change bind-dn, bind-pw and servers for your AD
    • Change the remote-role according to your AD group objects
    • The UPN (userPrincipalName) will be used for login (e.g. name@domain.com)

    Use in tmsh "load sys config merge from-terminal" and paste the following text:

     LDAP Access
auth ldap system-auth {
    bind-dn CN=yourusername,OU=yourorg,DC=domain,DC=com
    bind-pw yourpassword
    login-attribute userPrincipalName
    port ldaps
    search-base-dn DC=domain,DC=com
    servers { dc.domain.com }
    ssl enabled
}

auth remote-role {
    role-info {
        LDAP-Administrator {
            attribute memberOF=CN=Domain Admins,DC=domain,DC=com
            console tmsh
            line-order 1
            role administrator
            user-partition All
        }
        LDAP-ReadOnly {
            attribute memberOF=CN=Domain Users,DC=domain,DC=com
            line-order 2
            role guest
            user-partition All
        }
    }
}
auth remote-user {
    default-partition Common
}
auth source {
    type active-directory
}
  • youssef1's avatar
    youssef1
    Icon for Cumulonimbus rankCumulonimbus
    May 18, 2018

    Hello,

     

    did you try to use another "Login LDAP Attribute" I had to use CN instead samaccountname...

     

    Then change your scope to Sub (Specifies that the system searches all sub-directories of the Active Directory database.)

     

    If you encouter additional problem check your logs:

     

    less /var/log/secure

     

    K15811: Troubleshooting LDAP authentication for BIG-IP administrative users

     

    https://support.f5.com/csp/article/K15811

     

    Regards

     

  • Gurus's avatar
    Gurus
    Icon for Altostratus rankAltostratus
    Nov 12, 2018

    when enabling LDAP authentication.... if you have any automation using 

    bigsuds
    it probably will not work.