cancel
Showing results for 
Search instead for 
Did you mean: 

AD QUERY FOR APM POLICY

Oreoluwa
Altocumulus
Altocumulus

Hi, How can i specify the group a user must be a member of in the AD query component of the APM policy on the F5. It seems like there has to be a format for the specification of the group on the AD query. Please i need help on this.

8 REPLIES 8

Yoann_Le_Corvi1
Cumulonimbus
Cumulonimbus

Hi,

 

Are you talking about the Branch Rule ?

Normally, in the AD Query, you can create a Banch Rule that sets :

Context: AD Query

Condition: User is Member Of

DN: CN=MY_GROUP, CN=Users, DC=MY_DOMAIN

 

It should be really straighforward.

 

Yoann

Yes i know this format of the AD query is what is default on the F5 APM however, it does not work. That is, the users in the group i specified in this DN are not seeing what they are expected to see on their portal access. They still what every other user sees on the webtop.

Yoann_Le_Corvi1
Cumulonimbus
Cumulonimbus

Hmm,

 

You confirm that the DN entered there matches the distinguished name attribute in Active Directory Object editor for the user group in question ?

Also, we occasionally hit limitation when the number of group the user belongs to is to big. Could that be your case ?

 

Yoann

Can you see and confirm from the APM debug logs whether those users are going through the expected branch or whether they hit another one?

Hi guys, so i found that there was am ad group resource assignment where i could specify groups i have imported from the Actice Directory to the F5. This has worked on my lab and i have different portal views foe different groups of users. However, at a production site, the import of groups is failing. Showing an error unable to import group. I have confirmed that the F5 can reach the AD and query it. It just doesnt import the groups. Any solution to this please??

Hi,

 

Have you tried to use the same user in APM AD server config to query the AD server by "ldapsearch" in command line?

 

Also, F5 will send request to port 88 of AD server when you configured AD in "Active Directory" section, but if LDAP is used to configure AD, F5 will send request to port 389 or 636. Hope this helps.

did you get this working Oreoluwa?

 

if so flag the question as answered.

yes. Using AD group resource assignment after i had imported the group on the AD on F5.