cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

Login to Big-IP 14.1.2.3 and 15.0.1 Configuration utility via LDAP fails with nearly 50% probability

Ford_Prefect
Cirrus
Cirrus

Greetings,

 

After update from Big-IP 14.0.0.3 remote LDAP authentication fails time to time using the same correct credentials (i.e. 3 negative responses and following 2 are positive). I've tried to change idle timeout with no luck. ldapsearch responds with 0 Success code. Sometimes it takes 5 attemptes before I am logged in.

 

/var/log/secure:

Mar 5 13:30:13 mybigip.com err httpd[31489]: pam_ldap(httpd:auth): error reading from nslcd: Connection reset by peer Mar 5 13:30:13 mybigip.com warning httpd[31489]: pam_unix(httpd:auth): check pass; user unknown Mar 5 13:30:13 mybigip.com notice httpd[31489]: pam_unix(httpd:auth): authentication failure; logname= uid=48 euid=48 tty= ruser= rhost=192.168.5.10 Mar 5 13:30:16 mybigip.com err httpd[31489]: [auth_pam:error] [pid 31489] [client 192.168.5.10:53225] AUTHCACHE PAM: user 'f5' (fallback: false) - not authenticated: Authentication failure, referer: https://192.168.5.5/tmui/login.jsp Mar 5 13:30:16 mybigip.com info httpd(pam_audit)[31489]: User=f5 tty=(unknown) host=192.168.5.10 failed to login after 1 attempts (start="Thu Mar 5 13:30:13 2020" end="Thu Mar 5 13:30:16 2020"). Mar 5 13:30:16 mybigip.com info httpd(pam_audit)[31489]: 01070417:6: AUDIT - user f5 - RAW: httpd(pam_audit): User=f5 tty=(unknown) host=192.168.5.10 failed to login after 1 attempts (start="Thu Mar 5 13:30:13 2020" end="Thu Mar 5 13:30:16 2020").

 

nslcd in debug mode:

nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable nslcd: [43a858] DEBUG: connection from pid=31489 uid=48 gid=48 nslcd: [43a858] <authc="f5"> DEBUG: nslcd_pam_authc("f5","httpd","***") nslcd: [43a858] <authc="f5"> DEBUG: myldap_search(base="OU=admins,DC=mydomain,DC=com", filter="(&(sAMAccountName=*)(sAMAccountName=f5))") nslcd: [43a858] <authc="f5"> DEBUG: ldap_result(): CN=f5,OU=admins,DC=mydomain,DC=com nslcd: [43a858] <authc="f5"> DEBUG: myldap_search(base="CN=f5,OU=admins,DC=mydomain,DC=com", filter="(objectClass=*)") nslcd: [43a858] <authc="f5"> DEBUG: ldap_initialize(ldap://mydomain.com:389) nslcd: [43a858] <authc="f5"> DEBUG: ldap_set_rebind_proc() nslcd: [43a858] <authc="f5"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3) nslcd: [43a858] <authc="f5"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0) nslcd: [43a858] <authc="f5"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,30) nslcd: [43a858] <authc="f5"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,30) nslcd: [43a858] <authc="f5"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,30) nslcd: [43a858] <authc="f5"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON) nslcd: [43a858] <authc="f5"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON) nslcd: [43a858] <authc="f5"> DEBUG: ldap_simple_bind_s("CN=f5,OU=admins,DC=mydomain,DC=com","***") (uri="ldap://mydomain.com:389") nslcd: [43a858] <authc="f5"> DEBUG: set_socket_timeout(30,500000) nslcd: [43a858] <authc="f5"> DEBUG: ldap_result(): CN=f5,OU=admins,DC=mydomain,DC=com nslcd: [43a858] <authc="f5"> DEBUG: set_socket_timeout(15,0) nslcd: [43a858] <authc="f5"> DEBUG: ldap_unbind() nslcd: [43a858] <authc="f5"> DEBUG: bind successful nslcd: [43a858] <authc="f5"> DEBUG: myldap_search(base="OU=admins,DC=mydomain,DC=com", filter="(&(objectClass=shadowAccount)(uid=f5))") nslcd: [43a858] <authc="f5"> DEBUG: ldap_result(): end of results (0 total) nslcd: [1d5ae9] DEBUG: connection from pid=31489 uid=48 gid=48 nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable nslcd: [1d5ae9] <get_attributes="f5"> DEBUG: nslcd_pam_get_attributes("f5","httpd","","192.168.5.10","","***") nslcd: [1d5ae9] <get_attributes="f5"> DEBUG: myldap_search(base="OU=admins,DC=mydomain,DC=com", filter="(&(sAMAccountName=*)(sAMAccountName=f5))") nslcd: [1d5ae9] <get_attributes="f5"> ldap_search_ext() failed: Can't contact LDAP server: Connection reset by peer nslcd: [1d5ae9] <get_attributes="f5"> DEBUG: set_socket_timeout(15,0) nslcd: [1d5ae9] <get_attributes="f5"> DEBUG: ldap_unbind() nslcd: [1d5ae9] <get_attributes="f5"> DEBUG: "f5": user not found: Can't contact LDAP server

 

/var/log/httpd/httpd_errors

Mar 5 13:13:34 mybigip.com err httpd[31490]: [auth_pam:error] [pid 31490] [client 192.168.5.10:52914] AUTHCACHE PAM: user 'f5' (fallback: false) - not authenticated: Authentication failure, referer: https://192.168.5.5/tmui/login.jsp?msgcode=1&

 

/var/log/daemon.log

Mar 5 13:13:33 mybigip.com warning nslcd[3968]: [a2a8d4] <authc="f5"> ldap_search_ext() failed: Can't contact LDAP server: Connection reset by peer

 

Thank you in advance for help=)

1 ACCEPTED SOLUTION

Ford_Prefect
Cirrus
Cirrus

The problem was hidden in empty LDAP user attributes, you need to fill each LDIF scheme user attribute with an appropriate value to bring authentication back to work. You should not leave any single attribute empty. https://cdn.f5.com/product/bugtracker/ID950153.html

View solution in original post

3 REPLIES 3

Henric_Petterss
Altocumulus
Altocumulus

I don't have a solution, but can confirm that we have the same problem, and our logs looks a lot like yours. I've notices there are many open bugs related to ldap login, so hopefully this will be fixed soon.

Beaker
Cirrus
Cirrus

We had the same issue but following this article we are no longer seeing the problem:

https://support.f5.com/csp/article/K72830550

 

tmsh modify auth ldap system-auth idle-timeout 295

 

Ford_Prefect
Cirrus
Cirrus

The problem was hidden in empty LDAP user attributes, you need to fill each LDIF scheme user attribute with an appropriate value to bring authentication back to work. You should not leave any single attribute empty. https://cdn.f5.com/product/bugtracker/ID950153.html