Forum Discussion

partha_01_13425's avatar
partha_01_13425
Icon for Nimbostratus rankNimbostratus
Sep 24, 2013

Need help to configure BIGIP LTM to use MS Active Directory for authenticating BIGIP system user accounts for MGMT Interface

Hi, I am doing one BIGIP LTM Virtual Edition 10.1 ( 90 days trial) setup in our lab to test the appliance. In this process I was trying to configure the appliance to use Microsoft 2008 Active Directory server for authenticating system user accounts, that is, traffic that passes through the management interface (MGMT). Kindly note that this bos don't have APM installed. I use the following procedure to configure the AD authentication -

 

1.system->users->authentication 2.Select 'Remote-Active Directory'. 3.Give IP address of the AD server in the Host field. 4.use the default port 389, as we have not changed the default port. 5.Give the Remote Directory Tree details --> dc=domain_name,dc=com 6.Scope --> Sub 7.In the bind setting specify the DN --> accountname and the relevant password and confirm the same. 8. No user template. 9. SSL disabled as we did not use and SSL for the AD server. Now this setup is not working. The appliance does not pull AD account information. I am not sure if I have missed some thing in this configuration. I desperately need help to fix this setup as I need to complete the setup at the earliest possible.Kindly let me know if you need any more information from my side.

 

Thanks

 

Partha

 

12 Replies

  • Here is what our 10.2 ldap auth definition looks like in the bigip.conf file to our 2008 AD Directory server.

    auth ldap system-auth {
       search base dn "dc=prod,dc=ad,dc=bigcompany"
       bind dn "cn=ldapverify,cn=users,dc=prod,dc=ad,dc=bigcompany"
       bind pw "ldapverifypassword"
       login attr "uid"
       user template "%s@prod.ad.bigcompany"
       servers "10.10.10.10"
    }
    

    This section in our bigip.conf defines the role for remote users.

    remote users {
       default partition all
       default role guest
    }
    

    We use the following in our 10.2 LTM setup to define additional remote roles in addition to the default access granted AD accounts. This is also in the bigip.conf file.

    remoterole {
       role info {
          slb_admins {
             attribute "memberOf=CN=slb_admins,CN=Groups,DC=prod,DC=ad,DC=bigcompany"
             console "disable"
             line order 1000
             role "administrator"
             user partition "all"
          }
          slb_appeditors {
             attribute "memberOf=CN=slb_appeditors,CN=Groups,DC=prod,DC=ad,DC=bigcompany"
             console "disable"
             line order 1020
             role "app editor"
             user partition "all"
          }
          slb_operators {
             attribute "memberOf=CN=slb_operators,CN=Groups,DC=prod,DC=ad,DC=bigcompany"
             console "disable"
             line order 1010
             role "operator"
             user partition "all"
          }
       }
    }
    
  • Hi Partha,

     

    Jason's example should do the trick for you. I'd suggest not using the 10.1 VE trial edition as it is very old, included LTM only and had feature restrictions.

     

    If you want to evaluate VE, you could contact an F5 SE and request an eval license (www.f5.com/howtobuy). It will work for all current VE versions and support all the modules.

     

    Aaron

     

  • Thanks Jason & Aaron for your prompt response. Let me try to get the latest version and try in that.

     

  • Hi, I have deployed 11.3 virtual edition and enabled APM module. I have tried all the way to configure the authentication, but failed which is quite frustrating. I am sharing whiat I have did -

     

    System >> Authentication Authentication Source

     

    User Directory: Remote - Active Directory

     

    Host : 172.16.X.X

     

    Port: 389

     

    Remote Directory Tree: OU=ltm,DC=poc,DC=ltmtest,DC=com

     

    Scope: Sub

     

    Bind DN: CN=ltmuser,OU=ltm,DC=poc,DC=ltmtest,DC=com

     

    Check Member Attribute in Group: Enabled

     

    SSL: Disabled

     

    External Users:

     

    Role: Administrator

     

    Terminal Access: tmsh

     

    All the user accounts that need to logon are in the LTM OU. I have tried the config of Jason, but that also not working for me. If anybody have a good step by step guide of this implementation or video, kindly share with me.

     

    Thanks

     

    • Jason_40733's avatar
      Jason_40733
      Icon for Cirrocumulus rankCirrocumulus
      The configs I posted were specifically for 10.2. 11.3 has many many config file changes.
  • Thank you all guys for your support, my issue has been resolved. The DNS setting was wrong, after correct it AD integration start working.

     

    • Thong_196816's avatar
      Thong_196816
      Icon for Nimbostratus rankNimbostratus
      what wrong to the DNS settings? I encountered the same issues too. can know if the settings below are correct? System >> Authentication Authentication Source User Directory: Remote - Active Directory Host : 172.16.X.X Port: 389 Remote Directory Tree: OU=ltm,DC=poc,DC=ltmtest,DC=com Scope: Sub Bind DN: CN=ltmuser,OU=ltm,DC=poc,DC=ltmtest,DC=com Check Member Attribute in Group: Enabled SSL: Disabled External Users: Role: Administrator Terminal Access: tmsh I found this in the log" f5.admin 0-0 httpd(pam_audit): User=f5.admin tty=(unknown) host=20.x.x.x failed to login after 1 attempts"
  • I've been able to get this working without SSL as described above. Has anyone got it working with SSL? I haven't found anything on DC yet that helps.

     

  • Hi,

     

    I want to use AD authentication for GTM to logon. Below is my configuration is working fine for OU level&User level, now i want to use same GTM with a AD security group and members of those group can logon to GTM console based on mentioned role(administrator/guest). Please help me to configure the same, i have tried memberOF=CN=IT_GTM_Admin,OU=all_SG,DC=domainname,DC=co,DC=in in remote directory tree but its not working.

     

    User Directory: Remote - Active Directory

     

    Host : 10.43.x.x

     

    Port: 389

     

    Remote Directory Tree: CN=Users,DC=domainname,DC=co,DC=in

     

    Scope: Sub

     

    Bind DN: CN=gtmuser,CN=Users,DC=persistent,DC=co,DC=in

     

    Check Member Attribute in Group: Enabled

     

    SSL: Disabled

     

    External Users:

     

    Role: Administrator

     

    Terminal Access: tmsh

     

    • AlanTLR_151265's avatar
      AlanTLR_151265
      Icon for Nimbostratus rankNimbostratus
      Anil, Does your bind DN (CN=gtmuser,CN=Users,DC=persistent,DC=co,DC=in) have access to the RDT (CN=Users,DC=domainname,DC=co,DC=in)? Typically, these would be within the same domain. Here you have specified [effectively] persistent.co.in and domainname.co.in. --Alan
    • Anil_Anchuri_16's avatar
      Anil_Anchuri_16
      Icon for Nimbostratus rankNimbostratus
      sorry, that was a typo, domain name is persistent.co.in. Let me explain clearly, i have a user - gtmuser and it is in Indiausers OU and GTM_admins group and gtmuser added in gtm_admins group. If i specify Remote Directory Tree: CN=gtmuser,OU=Indiausers,DC=persistent,DC=co,DC=in, authentication working fine and if i mentioned Remote Directory Tree: OU=Indiausers,DC=persistent,DC=co,DC=in then all users who are there in Indiausers OU are able to logon to GTM management console(either guest/administrator). The problem is if i specify Remote Directory Tree: CN=GTM_admins,OU=SecurityGroups,DC=domainname,DC=co,DC=in (DN for group)then authentication is not working, its giving me logon failed error. I cannot move those who are admins of GTM to any other OU, i have to be use a security group. need help on this asap.
  • I have the same issue. Has anyone been able to get this work and if so, what are the settings used?