Login to Big-IP 14.1.2.3 and 15.0.1 Configuration utility via LDAP fails with nearly 50% probability

Ford_Prefect · ‎05-Mar-2020

Greetings,

After update from Big-IP 14.0.0.3 remote LDAP authentication fails time to time using the same correct credentials (i.e. 3 negative responses and following 2 are positive). I've tried to change idle timeout with no luck. ldapsearch responds with 0 Success code. Sometimes it takes 5 attemptes before I am logged in.

/var/log/secure:

Mar 5 13:30:13 mybigip.com err httpd[31489]: pam_ldap(httpd:auth): error reading from nslcd: Connection reset by peer
Mar 5 13:30:13 mybigip.com warning httpd[31489]: pam_unix(httpd:auth): check pass; user unknown
Mar 5 13:30:13 mybigip.com notice httpd[31489]: pam_unix(httpd:auth): authentication failure; logname= uid=48 euid=48 tty= ruser= rhost=192.168.5.10
Mar 5 13:30:16 mybigip.com err httpd[31489]: [auth_pam:error] [pid 31489] [client 192.168.5.10:53225] AUTHCACHE PAM: user 'f5' (fallback: false) - not authenticated: Authentication failure, referer: https://192.168.5.5/tmui/login.jsp
Mar 5 13:30:16 mybigip.com info httpd(pam_audit)[31489]: User=f5 tty=(unknown) host=192.168.5.10 failed to login after 1 attempts (start="Thu Mar 5 13:30:13 2020" end="Thu Mar 5 13:30:16 2020").
Mar 5 13:30:16 mybigip.com info httpd(pam_audit)[31489]: 01070417:6: AUDIT - user f5 - RAW: httpd(pam_audit): User=f5 tty=(unknown) host=192.168.5.10 failed to login after 1 attempts (start="Thu Mar 5 13:30:13 2020" end="Thu Mar 5 13:30:16 2020").

nslcd in debug mode:

nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable
nslcd: [43a858] DEBUG: connection from pid=31489 uid=48 gid=48
nslcd: [43a858] <authc="f5"> DEBUG: nslcd_pam_authc("f5","httpd","***")
nslcd: [43a858] <authc="f5"> DEBUG: myldap_search(base="OU=admins,DC=mydomain,DC=com", filter="(&(sAMAccountName=*)(sAMAccountName=f5))")
nslcd: [43a858] <authc="f5"> DEBUG: ldap_result(): CN=f5,OU=admins,DC=mydomain,DC=com
nslcd: [43a858] <authc="f5"> DEBUG: myldap_search(base="CN=f5,OU=admins,DC=mydomain,DC=com", filter="(objectClass=*)")
nslcd: [43a858] <authc="f5"> DEBUG: ldap_initialize(ldap://mydomain.com:389)
nslcd: [43a858] <authc="f5"> DEBUG: ldap_set_rebind_proc()
nslcd: [43a858] <authc="f5"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [43a858] <authc="f5"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [43a858] <authc="f5"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,30)
nslcd: [43a858] <authc="f5"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,30)
nslcd: [43a858] <authc="f5"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,30)
nslcd: [43a858] <authc="f5"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [43a858] <authc="f5"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [43a858] <authc="f5"> DEBUG: ldap_simple_bind_s("CN=f5,OU=admins,DC=mydomain,DC=com","***") (uri="ldap://mydomain.com:389")
nslcd: [43a858] <authc="f5"> DEBUG: set_socket_timeout(30,500000)
nslcd: [43a858] <authc="f5"> DEBUG: ldap_result(): CN=f5,OU=admins,DC=mydomain,DC=com
nslcd: [43a858] <authc="f5"> DEBUG: set_socket_timeout(15,0)
nslcd: [43a858] <authc="f5"> DEBUG: ldap_unbind()
nslcd: [43a858] <authc="f5"> DEBUG: bind successful
nslcd: [43a858] <authc="f5"> DEBUG: myldap_search(base="OU=admins,DC=mydomain,DC=com", filter="(&(objectClass=shadowAccount)(uid=f5))")
nslcd: [43a858] <authc="f5"> DEBUG: ldap_result(): end of results (0 total)
nslcd: [1d5ae9] DEBUG: connection from pid=31489 uid=48 gid=48
nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable
nslcd: [1d5ae9] <get_attributes="f5"> DEBUG: nslcd_pam_get_attributes("f5","httpd","","192.168.5.10","","***")
nslcd: [1d5ae9] <get_attributes="f5"> DEBUG: myldap_search(base="OU=admins,DC=mydomain,DC=com", filter="(&(sAMAccountName=*)(sAMAccountName=f5))")
nslcd: [1d5ae9] <get_attributes="f5"> ldap_search_ext() failed: Can't contact LDAP server: Connection reset by peer
nslcd: [1d5ae9] <get_attributes="f5"> DEBUG: set_socket_timeout(15,0)
nslcd: [1d5ae9] <get_attributes="f5"> DEBUG: ldap_unbind()
nslcd: [1d5ae9] <get_attributes="f5"> DEBUG: "f5": user not found: Can't contact LDAP server

/var/log/httpd/httpd_errors

Mar 5 13:13:34 mybigip.com err httpd[31490]: [auth_pam:error] [pid 31490] [client 192.168.5.10:52914] AUTHCACHE PAM: user 'f5' (fallback: false) - not authenticated: Authentication failure, referer: https://192.168.5.5/tmui/login.jsp?msgcode=1&

/var/log/daemon.log

Mar 5 13:13:33 mybigip.com warning nslcd[3968]: [a2a8d4] <authc="f5"> ldap_search_ext() failed: Can't contact LDAP server: Connection reset by peer

Thank you in advance for help=)

Ford_Prefect · ‎04-Nov-2020

The problem was hidden in empty LDAP user attributes, you need to fill each LDIF scheme user attribute with an appropriate value to bring authentication back to work. You should not leave any single attribute empty. https://cdn.f5.com/product/bugtracker/ID950153.html

View solution in original post

Henric_Petterss · ‎05-Mar-2020

I don't have a solution, but can confirm that we have the same problem, and our logs looks a lot like yours. I've notices there are many open bugs related to ldap login, so hopefully this will be fixed soon.

Beaker · ‎22-Jul-2020

We had the same issue but following this article we are no longer seeing the problem:

https://support.f5.com/csp/article/K72830550

tmsh modify auth ldap system-auth idle-timeout 295

Ford_Prefect · ‎04-Nov-2020

The problem was hidden in empty LDAP user attributes, you need to fill each LDIF scheme user attribute with an appropriate value to bring authentication back to work. You should not leave any single attribute empty. https://cdn.f5.com/product/bugtracker/ID950153.html

DevCentral

Login to Big-IP 14.1.2.3 and 15.0.1 Configuration utility via LDAP fails with nearly 50% probability

MFA required on DevCentral