Forum Discussion
NimbostratusUse of LOCAL Database Authentication and AD Authentication in APM
Dear Experts,
We have a requirement were we need to add both ( local and AD auth) in the same Access Policy. Because we have some users who are not registered under AD but need to access APM resources.
Is there any way where we can differentiate that a user does not belong to AD and is forwarded to Local Authentication Branch. Without user experiencing and Login error.
I tried by adding Local database Auth on the fallback Path but it takes 3 attempts to use the Local Database Authentication branch resulting in failure attempts for the User.
Any help will be appreciated.
Regards. Ibrahim
11 Replies
Alexandru_AtudoYou could try switching the AD auth to 1 attempt, the put the local auth on the fallback path. Or you could put an AD query after the logon box before the AD auth that will query the AD for the username and if its not in there fallback to the local auth.
Stanislas_Piro2Cumulonimbus
Hi,
can you create local users names with a predictable pattern and create a branch rule on the logon page filtering on this pattern?
I mean local user name always starts with ext- and the branch condition is:
expr { [mcget {session.logon.last.username}] starts_with "ext-" }
Ibrahim_Kadirihi,
Creating user with a predictable pattern is not recommended by the management. They need something to be done by APM. Nothing at the user level. Because users will be created with there email address.
Thanks for your input.
- Alexandru_Atudo
What about a third field on the logon page? A domain drop down box with two options (I.E. external and internal) and then create a branch rule like :
expr { [mcget {session.logon.last.domain}] contains "external" } - Stanislas_Piro2
does users who don't have AD account have email address with same domain in email address?
-
AD Auth :
expr { [mcget {session.logon.last.username}] ends_with "@company.com" } -
LocalDB auth :
fallback
-
- Ibrahim_Kadiri
hi,
it worked with AD query option, but the issue now is while assigning resources to group. There is no option for assigning resources for a specific group.
Eg: If user is a member of RDP --> assign RDP If user is a member of Portal--> assign Portal
- Ibrahim_Kadiri
hi,
I tried using LOCAL DB GROUP CHECK under Advance Resource Assignment but it doesn't work?
Any help??
kunjanHow about AD resource assign agent? Will it help?
https://support.f5.com/kb/en-us/solutions/public/16000/300/sol16306.html
- Ibrahim_Kadiri
for AD groups its working fine, But if a user is coming from Local Database and he is a member of multiple groups, resource assignment is failing. But if i keep the user in a single its working normally.
For eg: User 1 is a member of group 1 only.... it works fine
If user 1 is a member of Group 1 and Group 2 or say multiple groups... I get an error in the logs
**Rule evaluation failed with error: invalid command name "Expression:"** - kunjan
Can you provide the expression, seems like some expression error? Try with space in expr, if there is not.
