Trying to LDAP query an AD LDS field
I currently have an access policy where i need to LDAP query a custom field on a AD LDS server. I get the following error when I try: LDAP Module: Failed to bind with 'CN=testuser,OU=Service Accounts,OU=Groups,OU=Acounts,DC=domain,DC=com'. Internal (implementation specific) error. I first authenticate users with AD auth to a different set of AD servers. The AD LDS server only has user info and a few custom fields. I want to run an ldapsearch from the F5 but i don't really know the syntax. I do have the following info: - user account is testuser - user account password is testpassword - AD LDS Instance = DC=F5userAttribute,DC=domain,DC=com - AD LDS server IP is 10.18.24.210 - the field i need to pull data from is "customSecretKey" Just wondering what the syntax will be ldapsearch command.677Views0likes2CommentsBIG-IQ - Replacing bigip.conf file from old UCS
When I originally set up an initial BIG-IQ on some 7000 hardware chassis, it took me a long time to finally get the LDAP settings correct. We've since removed those chassis and I'm working in a VE for BIG-IQ. I'm following the steps here to extract specific files from a UCS. I'd like to restore the User Management > Auth Providers entirely, but cp /var/tmp/old/config/bigip/auth/* /config/bigip/auth/ doesn't appear to be working. Is there a better way to do this? Restoring from UCS but editing the management IP address? I'm open to ideas.436Views0likes2CommentsTrouble with Smart Card Login to the F5 Web Management UI
I've read https://devcentral.f5.com/questions/smart-card-login-to-f5-web-management and https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-user-account-administration-12-0-0/6.html but I'm having trouble getting smart cards to work to login to the web management console of the F5 itself. We are a Active Directory shop (2012), and if we need to tweak our Smart Card certs for this, we can. I can get the management site to verify the client cert, but no authentication happens--you just land at the login page (where you can enter name/password, and it successfully authenticates, but that defeats the purpose). I've uploaded our internal root CA certificate to the Apache Certificates store, and configured httpd as follows (note: the GUI for cert-LDAP piece ALWAYS turns on OCSP checking, regardless of the setting--this is really annoying): sys httpd { auth-pam-idle-timeout 1800 log-level debug ssl-ca-cert-file /Common/InternaCA-cert ssl-ciphersuite DEFAULT:!3DES:!LOW:!MD5:!EXPORT ssl-verify-client require ssl-verify-depth 20 } And then have tried several variations on the following (the subject of our Smart Card certs is the DistinguishedName, and we have the userPrincipalName in the subject alternate name-these accounts don't have email addresses). The accounts/domains are sanitized in the code below: auth cert-ldap system-auth { bind-dn "CN=LDAP Runner,OU=Other,OU=Users-Internal,DC=contoso,DC=com" bind-pw BINDPASSWORD check-roles-group enabled debug enabled login-attribute sAMAccountName login-name userPrincipalName search-base-dn OU=Users-Internal,DC=Contoso,DC=com servers { dc8.contoso.com } ssl-cname-field san-other ssl-cname-otheroid 1.3.6.1.4.1.311.20.2.3 sso on } I've tried combinations of the CN and OID for the UPN. Watching the tcpdump traffic, I can see that there's no LDAP traffic at all (unless you enter the user name and password in the forms). The httpd logs aren't showing anything that seems useful, though lots and lots of: Sep 23 18:04:30 F502EU err httpd[21790]: [error] [client 127.0.0.1] AUTHCACHE PAM: user 'admin' - not authenticated: Authentication failure Which corresponsds to lots and lots of: Sep 23 19:10:19 F502EU err httpd[22289]: [error] [client 127.0.0.1] AUTHCACHE PAM: user 'admin' - not authenticated: Authentication failure Sep 23 19:10:19 F502EU info httpd(pam_audit)[22289]: User=admin tty=(unknown) host=127.0.0.1 failed to login after 1 attempts (start="Fri Sep 23 19:10:17 2016" end="Fri Sep 23 19:10:19 2016"). What am I missing?366Views1like0CommentsBIG-IQ 6.0.1 and AD User Groups
This is a PoC for BIG-IQ, so I'm playing around with the system. I've set up AD as the Auth Provider, assigned a User Group for my team, and assigned Administrator Role. However when trying to authenticate, an error message says "User has no roles or group associations." I can't authenticate with my AD credentials until I also add my AD username under the Users list. This is different from my LTMs, which permits authentication based on a user's security group membership. Do I have to add specific users for every account that needs access to the BIG-IQ?558Views0likes3CommentsAPM dynamically retrieve last logon computername using LDAP RDP portal access
Dear All, I am looking for a way to migrate a complex Pulsesecure remote access solution, every internal employee has their own RDP connection to access their workstation from home. This way of working they would like to retain. There are lots of local users configured with RDP resources and I am trying to find a more dynamic and manageable approach, so why not search the Active Directory where the user was logged on and use that information (computer name) to automatically setup a RDP connection to their workstation. Does anybody know how to retrieve this information via a LDAP query? And also dynamically setup an RDP connection to the computername? Your ideas are more then welcome.439Views0likes2CommentsAAA: LDAP Group caching issue
We have two AAA profiles using LDAP that are configured exactly alike - with the exception that one of them points towards an LDS (Lightweight Directory Services) server and the other points towards an AD (Active Directory) server. The issue is that the AAA profile that goes to AD is able to successfully cache groups. However, the AAA server that points towards LDS is unable to cache groups. It is however able to successfully authenticate users, so we know it works. The larger issue here is that when LDS is populated with thousands of users, we get an error that the size returned is too large and we are then unable to authenticate to LDS. Our work around is that we can hopefully cache everything on F5 but so far haven't had any success.363Views0likes1CommentWhich IP does my F5 use to authenticate against Active Directory?
Hi, I'm currently trying to set up authentication on my F5 to use "Remote - Active Directory". When I log in to the F5 with my active directory account, which IP address is it going to use to talk to the domain controllers? Its management IP or a Self-IP? Thanks334Views0likes1Comment