cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

Authentication: Remote - Active directory + Microsoft RBAC

Daniel_Elkins
Nimbostratus
Nimbostratus

I have configured user authentication using Remote - Active directory, but it does not seem to be properly searching groups and applying the appropriate roles.

0691T000009ipq8QAA.jpg

 

 

 

 I have confirmed at the CLI that we have LDAPS working to bind and find accounts

 

ldapsearch -xLLL -H 'ldap://<my AD server>' -b "<my search base>" -s sub -D "<my bind account>" -w '<my bind password>"(samAccountName=adm_delkins)"

 

the output finds the groups I am a member of as follows:

<truncated for brevity>

DC=local

objectClass: top

objectClass: person

objectClass: organizationalPerson

objectClass: user

cn: Dan Elkins

sn: Elkins

memberOf: CN=RBaC-<mydomain>-Network,OU=<my local domain OU>,DC=<my domain>,DC=<my TLD>

memberOf: CN=Domain Admins,CN=Users,DC=<My domain>,DC=<my tld>

 

My user account is a member of my Microsoft Active Directory RBAC group

0691T000009ipssQAA.jpg

 

 

 

 

This Microsoft Active Directory RBAC group is a member of the group created for F5 Admin

0691T000009ipstQAA.jpg

 

 

 

 

I have created these same groups on my LTM in the remote role groups with the same name as my AD group that RBAC is a meber of:

0691T000009iptRQAQ.jpg

 

 

 

 

The only way I can validate that I can authenticate to LDAP at all is when I enable the "External Users" in the authentication config. This successfully authenticates me with LDAP, but since I don't match any groups, it just logs me in as Guest instead of Administrator. At least I can see LDAP working ...

0691T000009ipsvQAA.jpg

 

 

 

 

While working with another vendor I had to configure that system to use a recursive LDAP search in order to get LDAP to work with the Microsoft Active Directory RBAC groups.

 

If this is possibly the same issue, is there a method to enable a recursive search on the F5.

 

If this is not likely the issue, what have I configured incorrectly that is preventing my users from authenticating with proper roles?

Any pointers would be appreciated as I need to get a working solution.

 

1 REPLY 1

Daniel_Elkins
Nimbostratus
Nimbostratus

This issue was resolved via F5 supoport who advised me to modify the configuration in "remote role group" to add "memberOf=" in front of group name I entered in the attribute string field for the defined group. This allowed me to log in with a user in active directory was explicitly assigned to the group in question.

 

Badd example:

 

CN=F5Admins,OU=<myDomain> Users & Groups,DC=<myDomain>,DC=local

 

Working example:

 

memberOf=CN=F5Admins,OU=<myDomain> Users & Groups,DC=<myDomain>,DC=local

 

I have however discovered that if you have this group in another nested group within Active Directory authentication still fails. From what I have researched the limited scope available in the LDAP configuration is lacking the "recursive" query option for LDAP.

 

https://clouddocs.f5.com/cli/tmsh-reference/v15/modules/auth/auth_ldap.html?highlight=ldap

This document shows that even at the CLI configuration within TMSH the only options for query scope are:

 

scope [base | one | sub]

 

The good news is, this particular issue of group configuration has been resolved, but the new issue of nested group memberships is stillbroken to my knowledge.