For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Jason_46956's avatar
Jason_46956
Icon for Nimbostratus rankNimbostratus
Nov 07, 2011

Using different field to identify user when using Active Directory as AAA server

All,

 

 

As the Subject/Summary says - we would like to use an alternate field for the identification of the user.

 

 

We were previously using LDAP and it was a simple matter to customise the query, but with using Active Directory there does not appear to be an option to do this.

 

 

I suspect it would be possible to do this using a LDAP Query before the AD Auth steps, but not exactly sure how to tie the two steps together.

 

 

Can anyone point me in the right direction?

 

 

Thanks,

 

Jason

 

config
design

6 Replies

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Nov 07, 2011
    not sure if i understand correctly. when i configure active directory user authentication (system > users > authentication), the configuration is under auth ldap system-auth portion (b auth ldap list all). isn't it configurable as ldap?
  • Kurt_Knochner_5's avatar
    Kurt_Knochner_5
    Icon for Cirrus rankCirrus
    Nov 07, 2011

    Jason,

     

     

    is this for admin or user authentication?

     

     

    And what do you mean by "I suspect it would be possible to do this using a LDAP Query before the AD Auth steps"?

     

     

    Regards

     

    Kurt Knochner

     

     

  • Jason_46956's avatar
    Jason_46956
    Icon for Nimbostratus rankNimbostratus
    Nov 08, 2011
    Not sure what happened with my original Subject line, but the important bit of information missing is that this is using the APM module.

     

     

    So, it is not for authenticating administrators, but for authenticating users accessing a website behind an APM logon form.

     

     

    What we would like is for the user to be able to use their email address instead of using their sAMAccountName to identify themselves.

     

     

    The bit about using a 'LDAP Query' was talking about adding a pipeline step in the APM Policy Editor that used the entered user email address to do an LDAP lookup on AD, pulling out their sAMAccountName, and then passing this through to the 'AD Auth' step.

     

     

    Hope this is a little clearer now.

     

     

    Jason
  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    Nov 08, 2011
    Gut feeling is that you should be able to do this in an iRule... but I haven't looked too hard at how easy it would be.

     

     

    H
  • Kurt_Knochner_5's avatar
    Kurt_Knochner_5
    Icon for Cirrus rankCirrus
    Nov 08, 2011
    What we would like is for the user to be able to use their email address instead of using their sAMAccountName to identify themselves.

     

     

    O.K. let's narrow this down. Are you talking about the e-mail address or about the user principal name (UPN: usernam@domain), which looks like an e-mail address, but it's not? The later one might be easier, as this would probably just require a change of the user attribute to userprincipalname (instead of samaccountname).

     

     

    If it's really the e-mail address, then you would need an iRule to query the LDAP server and get the attribute samaccountname, however there is no easy way to query the LDAP server within an iRule, other than implementing the LDAP protocol at TCP level. See this link as a starting point: http://devcentral.f5.com/wiki/iRules.LDAPProxy.ashx.

     

     

    Regards

     

    Kurt Knochner
  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    Nov 08, 2011
    I've been looking at this today... I think you could do a mapping within the VPE for this... Maybe...

     

     

    H