cancel
Showing results for 
Search instead for 
Did you mean: 

Issue Using Remote LDAP Authentication

pcastagnaro_709
Nimbostratus
Nimbostratus

 

I configured BIG-IP to access LDAP users following the official tutorial (http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-implementations-11-3-0/31.html) but when it displays the website authentication and entry correct credentials, BIG-IP manages logon credentials with the LDAP server correctly (I checked with pcap capture), but requests credentials again. When I again entered the correct credentials, the process is the same and I can not log on to the page.

 

 

You can see the negotiation between the BIG-IP server and the LDAP is correct in this image: https://docs.google.com/file/d/0B83010gTagQXRjJaWlk1NUxsVVk/edit?usp=sharing, so I do not know why BIG-IP request credentials every time.

 

 

I have used "ldapsearch" command from SSH console to check authentication proccess and I can see conection was success and credentials are correctly (you can see output command in "query_from_ldapsearch2.txt" file I have attached).

 

 

Thank you very much in advance.

 

 

Kind regards.

 

11 REPLIES 11

nitass
F5 Employee
F5 Employee
do you have pcap which captures both application and ldap traffic? just wondering if there are multiple tcp connections.

pcastagnaro_709
Nimbostratus
Nimbostratus

 

Dear nitass,

 

 

I have no a ldap traffic. If you think you need that, I could capture this traffic. Just tell me if you need it.

 

Kevin_Stewart
F5 Employee
F5 Employee

What happens if you apply the default _sys_auth_ldap iRule to the LDAP auth profile?

 

 

Also try this - edit the existing iRule and add a log statement to your AUTH_RESULT event:

 

 

when AUTH_RESULT {

 

log local0. "AUTH status = [AUTH::status]"

 

if { [AUTH::status] != 0 } {

 

HTTP::respond 401

 

} else {

 

HTTP::release

 

}

 

}

 

nitass
F5 Employee
F5 Employee
I have no a ldap traffic. If you think you need that, I could capture this traffic. Just tell me if you need it.sorry i think it is not the case. i just notice there is only one 3 way handshake, so it should not be multiple tcp connections.

nitass
F5 Employee
F5 Employee
can you try "login-attribute" setting in conector_con_AD?

 

 

this is my testing. tasmania is web user.

 

 

root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) show sys version|grep -A 5 Main\ Package Main Package Product BIG-IP Version 11.3.0 Build 3022.0 Edition Hotfix HF3 Date Fri Feb 22 00:00:34 PST 2013 root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm virtual bar ltm virtual bar { auth { Perfil_AD } destination 172.28.20.16:80 ip-protocol tcp mask 255.255.255.255 pool foo profiles { http { } tcp { } } source 0.0.0.0/0 source-address-translation { type automap } vlans-disabled } root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm auth profile Perfil_AD ltm auth profile Perfil_AD { app-service none configuration conector_con_AD credential-source http-basic-auth defaults-from ldap rule AUTH_LDAP_URL_v1 type ldap } root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm auth ldap conector_con_AD ltm auth ldap conector_con_AD { bind-dn cn=administrator,cn=users,DC=abc,DC=com bind-pw password login-attribute sAmAccountName search-base-dn cn=users,DC=abc,DC=com servers { 172.28.20.20 } } root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm rule AUTH_LDAP_URL_v1 ltm rule AUTH_LDAP_URL_v1 { when CLIENT_ACCEPTED { set tmm_auth_ldap_sid [AUTH::start pam default_ldap] } when HTTP_REQUEST { if {[HTTP::uri] equals "/"} { AUTH::username_credential $tmm_auth_ldap_sid [HTTP::username] AUTH::password_credential $tmm_auth_ldap_sid [HTTP::password] AUTH::authenticate $tmm_auth_ldap_sid HTTP::collect } } when AUTH_RESULT { if {[AUTH::status] != 0} { HTTP::respond 401 } else { HTTP::release } } } tcpdump No. Time Delta Time Source Src port Destination Protocol Dst port Window BiF Vlan id Length Info 1 2013-05-04 16:55:05.469994 0.000000 00:00:00_00:00:00 00:00:00_00:00:00 0x05ff 156 Ethernet II 2 2013-05-04 16:55:15.106749 9.636755 172.28.20.11 45448 172.28.20.20 TCP 389 14600 4094 157 OUT s0/tmm1 : 45448 > 389 [SYN] Seq=3089723857 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=1858114978 TSecr=0 WS=128 3 2013-05-04 16:55:15.108900 0.002151 172.28.20.20 389 172.28.20.11 TCP 45448 64240 4094 161 IN s0/tmm1 : 389 > 45448 [SYN, ACK] Seq=89577447 Ack=3089723858 Win=64240 Len=0 MSS=1460 WS=1 TSval=0 TSecr=0 SACK_PERM=1 4 2013-05-04 16:55:15.110082 0.001182 172.28.20.11 45448 172.28.20.20 TCP 389 14720 4094 149 OUT s0/tmm1 : 45448 > 389 [ACK] Seq=3089723858 Ack=89577448 Win=14720 Len=0 TSval=1858114982 TSecr=0 5 2013-05-04 16:55:15.110090 0.000008 172.28.20.11 45448 172.28.20.20 LDAP 389 14720 61 4094 210 OUT s0/tmm1 : bindRequest(1) "cn=administrator,cn=users,DC=abc,DC=com" simple 6 2013-05-04 16:55:15.112710 0.002620 172.28.20.20 389 172.28.20.11 LDAP 45448 64179 22 4094 171 IN s0/tmm1 : bindResponse(1) success 7 2013-05-04 16:55:15.113013 0.000303 172.28.20.11 45448 172.28.20.20 TCP 389 14720 4094 149 OUT s0/tmm1 : 45448 > 389 [ACK] Seq=3089723919 Ack=89577470 Win=14720 Len=0 TSval=1858114985 TSecr=51647361 8 2013-05-04 16:55:15.113341 0.000328 172.28.20.11 45448 172.28.20.20 LDAP 389 14720 76 4094 225 OUT s0/tmm1 : searchRequest(2) "cn=users,DC=abc,DC=com" wholeSubtree 9 2013-05-04 16:55:15.114853 0.001512 172.28.20.20 389 172.28.20.11 LDAP 45448 64103 1412 4094 1561 IN s0/tmm1 : searchResEntry(2) "CN=tasmania,CN=Users,DC=abc,DC=com" | searchResDone(2) success [1 result] 10 2013-05-04 16:55:15.119586 0.004733 172.28.20.11 45448 172.28.20.20 LDAP 389 17536 56 4094 205 OUT s0/tmm1 : bindRequest(3) "CN=tasmania,CN=Users,DC=abc,DC=com" simple 11 2013-05-04 16:55:15.121659 0.002073 172.28.20.20 389 172.28.20.11 LDAP 45448 64047 22 4094 171 IN s0/tmm1 : bindResponse(3) success 12 2013-05-04 16:55:15.122278 0.000619 172.28.20.11 45448 172.28.20.20 LDAP 389 17536 61 4094 210 OUT s0/tmm1 : bindRequest(4) "cn=administrator,cn=users,DC=abc,DC=com" simple 13 2013-05-04 16:55:15.124744 0.002466 172.28.20.20 389 172.28.20.11 LDAP 45448 63986 22 4094 171 IN s0/tmm1 : bindResponse(4) success 14 2013-05-04 16:55:15.164996 0.040252 172.28.20.11 45448 172.28.20.20 TCP 389 17536 4094 149 OUT s0/tmm1 : 45448 > 389 [ACK] Seq=3089724112 Ack=89578926 Win=17536 Len=0 TSval=1858115037 TSecr=51647361

pcastagnaro_709
Nimbostratus
Nimbostratus
Posted By Kevin Stewart on 05/03/2013 02:44 PM

 

What happens if you apply the default _sys_auth_ldap iRule to the LDAP auth profile?

 

 

Also try this - edit the existing iRule and add a log statement to your AUTH_RESULT event:

 

 

when AUTH_RESULT {

 

log local0. "AUTH status = [AUTH::status]"

 

if { [AUTH::status] != 0 } {

 

HTTP::respond 401

 

} else {

 

HTTP::release

 

}

 

}

 

 

Dear Kevin Stewart,

 

 

If I apply the default _sys_auth_ldap iRule to the LDAP auth profile, it applies LDAP auth into all site and I want to set authentication only in a specific path. I read a tutorial which sais the following iRule works great with my specific path:

 

 

when CLIENT_ACCEPTED {

 

set tmm_auth_ldap_sid [AUTH::start pam default_ldap]

 

}

 

 

when HTTP_REQUEST {

 

if {[HTTP::uri] contains "myFolder/myPage.action"} {

 

AUTH::username_credential $tmm_auth_ldap_sid [HTTP::username]

 

AUTH::password_credential $tmm_auth_ldap_sid [HTTP::password]

 

AUTH::authenticate $tmm_auth_ldap_sid

 

HTTP::collect

 

}

 

}

 

 

when AUTH_RESULT {

 

if {[AUTH::status] != 0} {

 

HTTP::respond 401

 

} else {

 

HTTP::release

 

}

 

}

 

 

 

With this iRule, LDAP server accepts credentials but it falls into a loop.

 

I tried the default _sys_auth_ldap iRule but it falls into the same loop. Unique difference between both is that default rule applies auth to all the site and custom iRule applies auth to a specific path, but both fall into the same loop.

 

 

What does log local0. "AUTH status = [AUTH::status]" line?

 

 

I set this option as you said but I obtain same result.

 

 

Anyway thank you very much for your time and your dedication.

 

 

I have not idea what or where is the problem.

 

Kevin_Stewart
F5 Employee
F5 Employee
The log statement just shows what the AUTH status result is for troubleshooting. I would suggest that if you can get the default _sys_auth_ldap iRule to work in your environment, then it can be modified to support your per-URI requirement. Can you post your config?

pcastagnaro_709
Nimbostratus
Nimbostratus
Posted By Kevin Stewart on 05/16/2013 01:23 PM

 

The log statement just shows what the AUTH status result is for troubleshooting. I would suggest that if you can get the default _sys_auth_ldap iRule to work in your environment, then it can be modified to support your per-URI requirement. Can you post your config?

 

Dear Kevin Stewart,

 

Where BIG-IP stores the auth log? I searched it using "find local0" through SSH but it did not show anything.

 

I am using default _sys_auth_ldap now but it did not resolve the issue. I just added following lines (both in bold) to apply auth only to a specific path and in order to log as you said. You can see complete iRule in attachments:

 

 

when HTTP_REQUEST {

 

if {[HTTP::uri] contains "myFolder/myPage.action"} {

 

set tmm_auth_sid [AUTH::start pam default_ldap]

 

(...)

 

 

when AUTH_RESULT {

 

log local0. "AUTH status = [AUTH::status]"

 

if {not [info exists tmm_auth_http_sids(ldap)] or \

 

(...)

 

 

This is my auth profile active:

 

 

ltm auth profile /Common/Perfil_AD {

 

app-service none

 

configuration /Common/conector_con_AD

 

credential-source http-basic-auth

 

defaults-from /Common/ldap

 

enabled yes

 

idle-timeout 300

 

rule /Common/AUTH_LDAP_URL_v1

 

type ldap

 

}

 

 

 

And this is my configuration:

 

 

ltm auth ldap /Common/conector_con_AD {

 

bind-dn "CN=myUser,OU=FUNCIONES,OU=SISTEMAS,OU=SEDE,DC=mydomain,DC=com,DC=ar"

 

bind-pw myPassword

 

check-host-attr enabled

 

debug enabled

 

search-base-dn "OU=FUNCIONES,OU=SISTEMAS,OU=SEDE,DC=mydomain,DC=com,DC=ar"

 

servers { 19X.1XX.XX.1XX }

 

}

 

 

With this overall configuration, auth falls into a loop 😞

 

 

PD: Thank you very much for your active help and you dedication

 

pcastagnaro_709
Nimbostratus
Nimbostratus
Posted By nitass on 05/04/2013 02:20 AM

 

can you try "login-attribute" setting in conector_con_AD?

 

 

this is my testing. tasmania is web user.

 

 

root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) show sys version|grep -A 5 Main\ Package Main Package Product BIG-IP Version 11.3.0 Build 3022.0 Edition Hotfix HF3 Date Fri Feb 22 00:00:34 PST 2013 root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm virtual bar ltm virtual bar { auth { Perfil_AD } destination 172.28.20.16:80 ip-protocol tcp mask 255.255.255.255 pool foo profiles { http { } tcp { } } source 0.0.0.0/0 source-address-translation { type automap } vlans-disabled } root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm auth profile Perfil_AD ltm auth profile Perfil_AD { app-service none configuration conector_con_AD credential-source http-basic-auth defaults-from ldap rule AUTH_LDAP_URL_v1 type ldap } root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm auth ldap conector_con_AD ltm auth ldap conector_con_AD { bind-dn cn=administrator,cn=users,DC=abc,DC=com bind-pw password login-attribute sAmAccountName search-base-dn cn=users,DC=abc,DC=com servers { 172.28.20.20 } } root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm rule AUTH_LDAP_URL_v1 ltm rule AUTH_LDAP_URL_v1 { when CLIENT_ACCEPTED { set tmm_auth_ldap_sid [AUTH::start pam default_ldap] } when HTTP_REQUEST { if {[HTTP::uri] equals "/"} { AUTH::username_credential $tmm_auth_ldap_sid [HTTP::username] AUTH::password_credential $tmm_auth_ldap_sid [HTTP::password] AUTH::authenticate $tmm_auth_ldap_sid HTTP::collect } } when AUTH_RESULT { if {[AUTH::status] != 0} { HTTP::respond 401 } else { HTTP::release } } } tcpdump No. Time Delta Time Source Src port Destination Protocol Dst port Window BiF Vlan id Length Info 1 2013-05-04 16:55:05.469994 0.000000 00:00:00_00:00:00 00:00:00_00:00:00 0x05ff 156 Ethernet II 2 2013-05-04 16:55:15.106749 9.636755 172.28.20.11 45448 172.28.20.20 TCP 389 14600 4094 157 OUT s0/tmm1 : 45448 > 389 [SYN] Seq=3089723857 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=1858114978 TSecr=0 WS=128 3 2013-05-04 16:55:15.108900 0.002151 172.28.20.20 389 172.28.20.11 TCP 45448 64240 4094 161 IN s0/tmm1 : 389 > 45448 [SYN, ACK] Seq=89577447 Ack=3089723858 Win=64240 Len=0 MSS=1460 WS=1 TSval=0 TSecr=0 SACK_PERM=1 4 2013-05-04 16:55:15.110082 0.001182 172.28.20.11 45448 172.28.20.20 TCP 389 14720 4094 149 OUT s0/tmm1 : 45448 > 389 [ACK] Seq=3089723858 Ack=89577448 Win=14720 Len=0 TSval=1858114982 TSecr=0 5 2013-05-04 16:55:15.110090 0.000008 172.28.20.11 45448 172.28.20.20 LDAP 389 14720 61 4094 210 OUT s0/tmm1 : bindRequest(1) "cn=administrator,cn=users,DC=abc,DC=com" simple 6 2013-05-04 16:55:15.112710 0.002620 172.28.20.20 389 172.28.20.11 LDAP 45448 64179 22 4094 171 IN s0/tmm1 : bindResponse(1) success 7 2013-05-04 16:55:15.113013 0.000303 172.28.20.11 45448 172.28.20.20 TCP 389 14720 4094 149 OUT s0/tmm1 : 45448 > 389 [ACK] Seq=3089723919 Ack=89577470 Win=14720 Len=0 TSval=1858114985 TSecr=51647361 8 2013-05-04 16:55:15.113341 0.000328 172.28.20.11 45448 172.28.20.20 LDAP 389 14720 76 4094 225 OUT s0/tmm1 : searchRequest(2) "cn=users,DC=abc,DC=com" wholeSubtree 9 2013-05-04 16:55:15.114853 0.001512 172.28.20.20 389 172.28.20.11 LDAP 45448 64103 1412 4094 1561 IN s0/tmm1 : searchResEntry(2) "CN=tasmania,CN=Users,DC=abc,DC=com" | searchResDone(2) success [1 result] 10 2013-05-04 16:55:15.119586 0.004733 172.28.20.11 45448 172.28.20.20 LDAP 389 17536 56 4094 205 OUT s0/tmm1 : bindRequest(3) "CN=tasmania,CN=Users,DC=abc,DC=com" simple 11 2013-05-04 16:55:15.121659 0.002073 172.28.20.20 389 172.28.20.11 LDAP 45448 64047 22 4094 171 IN s0/tmm1 : bindResponse(3) success 12 2013-05-04 16:55:15.122278 0.000619 172.28.20.11 45448 172.28.20.20 LDAP 389 17536 61 4094 210 OUT s0/tmm1 : bindRequest(4) "cn=administrator,cn=users,DC=abc,DC=com" simple 13 2013-05-04 16:55:15.124744 0.002466 172.28.20.20 389 172.28.20.11 LDAP 45448 63986 22 4094 171 IN s0/tmm1 : bindResponse(4) success 14 2013-05-04 16:55:15.164996 0.040252 172.28.20.11 45448 172.28.20.20 TCP 389 17536 4094 149 OUT s0/tmm1 : 45448 > 389 [ACK] Seq=3089724112 Ack=89578926 Win=17536 Len=0 TSval=1858115037 TSecr=51647361

 

Dear nitass,

 

I set sAmAccountName in login-attribute, but I had the same result.

 

 

nitass
F5 Employee
F5 Employee
Where BIG-IP stores the auth log? I searched it using "find local0" through SSH but it did not show anything.have you checked /var/log/ltm?

pcastagnaro_709
Nimbostratus
Nimbostratus
Posted By nitass on 05/18/2013 04:09 AM

 

Where BIG-IP stores the auth log? I searched it using "find local0" through SSH but it did not show anything. have you checked /var/log/ltm?

 

Dear nitass,

 

Yes I did. I have checked in /var/log/ltm but there is nothing here with local.

 

I tried with valid and invalid credentials