cancel
Showing results for 
Search instead for 
Did you mean: 

VPE AD logon - why cant username = email address

AlexS_yb
Cirrostratus
Cirrostratus

Why is it so hard to setup MS AD auth for username => email address.

I have to set and then reset the username session variable to utillise the MS AD Auth module - seems silly

 

2 REPLIES 2

I see that others have the same complaint, so you are right 🙂

 

You can see this if it helps:

 

https://devcentral.f5.com/s/question/0D51T00006i7etx/apm-ldap-auth-using-email-address

 

 

 

Also with variable assign agent you can make the users just to type the name and then add "@domain.com":

 

 

https://devcentral.f5.com/s/question/0D51T00006i7cnk/how-to-add-domain-name-string-in-the-apm-variable-assign

Done some more work on this.

 

so the key bits seem to be

 

session.logon.last.username

session.logon.last.logonname

session.logon.last.domain

 

for examples presume my email is alex@example.com

 

now on the logon page, if use split domain

if you have split to true then you get

session.logon.last.username alex

session.logon.last.logonname alex@example.com

session.logon.last.domain example.com

 

if you have it set to no you get

 

session.logon.last.username alex@example.com

session.logon.last.logonname alex@example.com

session.logon.last.domain

 

notice domain is not set.

 

Why do f5 do this, why is the option there.... I think - i presume, its for MS AD Auth widget in VPE, they do a search on samaccount name which is usually just the short name ... sigh ..

 

now the session name seen in the gui is based on

session.logon.last.username

 

so I use split equals yes .. and then the next step i do is variable assign

session.logon.last.username = session.logon.last.logonname

 

and I have stopped using the MS AD auth and just use LDAP Auth against the AD servers. Makes life a lot simplier