Max length of LDAP attribute in queries to Active Directory?
Hi all, I'm working with multiple Active Directory domains (same forest) containing users, but the APM I'm configuring does not have access to any global catalog servers. An APM policy is configured to authorize users from any of the domains by checking for their membership in a universal group, which exists in one domain. The APM is permitted to reach domain controllers in that one domain. To perform authorization, we bind to the group in an LDAP Query action and check the member attribute in a branch rule with the following expression: expr { [string tolower "[mcget {session.ldap.last.attr.member}]"] contains [string tolower "[mcget {session.logon.last.username}]"] } My question is, is there a limit to the size of the response along the way, in case the membership of the group grows quite large? I'm unaware of any specific limits on LDAP responses, but want to check on the AD and F5 sides. Might the domain controller truncate its response at a certain size, might the F5 truncate the response received above a certain point, or might I run into issues if the size of the member attribute is too large to grep/"contains" for my username? Short of gaining access to a global catalog (which is not an option in the short term) and binding to users to check memberOf, or checking all three domain controllers in a cascading/waterfall configuration, are there any other alternatives you have seen to accomplish this? Thanks, ChrisAPM AD auth and multi-domain forest
Hi All, Let me preface this by saying that I am a Linux guy who pokes at Active Directory once in a blue moon. I've been trying to work through this problem but so far have not had any great results. I have a client whose AD environment has multiple domains that belong to the same forest. Each domain has its own set of AD servers, and the client wants users from any domain to be able to authenticate to APM protected services. Unfortunately, if I use tools such as ldapsearch to query for users from a particular domain against a server for "my" domain (the one the F5 has credentials in), I get a referral. The F5 seems unable to chase the referral. A potential complication is that this system is also running route domains and the customer's environment is not in RD 0. For single domain clients this works just fine, so I do not know if this is a factor. What is the best way to teach the F5 about multiple AD domains/realms? This is a sample error: AD module: Domain Controller is not specified for domain 'FOO.BAR.COM', KDCs will be discovered using DNS AD agent: Auth (logon attempt:0): authenticate with 'svc_f5' failed Session variable 'session.ad.last.errmsg' set to 'Realm not local to KDC, principal name: svc_f5@FOO.BAR.COM@BAR.COM. Realm not found. Please verify Domain Name configured.' Some detail about the setup: Split domain from username is enabled in the Logon Page object. Cross domain authentication is enabled in the AD Auth object. Example domains: bar.com foo.bar.com My F5's admin account is "svc_f5.foo.bar.com". This account seems to have rights to query any of the domain controllers that I have tried to use. Server A knows about "bar.com". Server B knows about "foo.bar.com". Either server seems unwilling to answer queries for the other domain. Since I can only select one domain in an AD AAA resource, my thinking now is to do a match in the VPE based on the domain provided by the client and then present the appropriate AD Auth config, but this adds much complexity. Any advice is greatly appreciated!! Thanks, Josh
Need help configuring Active Directory for User Authentication WITH SSL
On our F5 BIG-IP LTM (running 10.2.1) We are able to get Active Directory user authentication without SSL to work, but are having trouble getting it to work correctly with SSL. I have a suspicion that this has to do with the keys. I've entered them and even imported them as trusted device certificates, but I am still unable to get them working correctly. Is there a specific format that they should be in? I've tried PKCS12, PKCS7, and DER. auth ldap system-auth { bind-dn "cn=\"LDAP Account\",ou=\"Service ACC\",dc=my,dc=lovely,dc=com" bind-pw ******** login-attribute samaccountname port ldaps search-base-dn dc=my,dc=lovely,dc=com servers { MYDC03.my.lovely.com } ssl enabled ssl-ca-cert-file /etc/keys/ca.cer ssl-client-cert /etc/keys/ldaps.crt ssl-client-key /etc/keys/ldaps.key user-template %s@my.lovely.com } *Names, passwords, and domains have been changed for security.
Clientless mode failing to interact with AD
Scenario: I have a webserice that is being called by some clients. When they hit a webservice, they should enter in a username / password combo for basic authentication. Those credentials should be taken by the APM, and processed in active directory. Here is an image of the flow: Per this conversation, I am creating this IRule to promt for username/password credentials and allow the APM to perform work. when HTTP_REQUEST { set apmsessionid [HTTP::cookie value MRHSession] if { [HTTP::cookie exists "MRHSession"] } {set apmstatus [ACCESS::session exists -state_allow $apmsessionid]} else {set apmstatus 0} if {!($apmstatus)} { Insert Clientless-mode header to start APM in clientless mode if { [catch {HTTP::header insert "clientless-mode" 1} ] } {log local0. "[IP::client_addr]:[TCP::client_port] : TCL error on HTTP header insert clientless-mode : URL : [HTTP::host][HTTP::path] - Headers : [HTTP::request]"} } } when ACCESS_POLICY_COMPLETED { Authentication request for non bowser user-agent session denied if { ([ACCESS::policy result] equals "deny") } { ACCESS::respond 401 noserver WWW-Authenticate "Basic realm=\"My Web Services Authentication\"" Connection close ACCESS::session remove return } } However, following that post and using that code, always leads me to the Deny portion. If I use the original solution here, I am able to authenticate successfully. Am I missing something to add?
Help with creating script
Currently we are using the google authenticator with our F5 implementation. We provide our users with a shared secret key and store the same key in our Active Directory for later reference. So basically we add a sample key like this to one of our AD fields: GVUEYVDJMNSFIMD2 So basically i have a ton of users with this setup in their AD fields. One of the issues i have with our setup is the fact the key we store in Active Directory is too visible to others in my organization. So a friend point this link to me and I think it will fix my concerns: https://devcentral.f5.com/questions/apm-active-directory-authention-with-google-auth So we add the following code to the google authenticator generator page: append ga_secret_http_resp "key (secret): $secret_b32\n \n " set key "3658F2C8C5C2017839B2B1761F713F8B" set iv "DC4F6A9A1C6D12C15FEC43179660C78B" set enc_ga_secret [b64encode [CRYPTO::encrypt -alg aes-128-cbc -keyhex $key -ivhex $iv $secret_b32]] append ga_secret_http_resp "encrypted secret: $enc_ga_secret\n" append ga_secret_http_resp "\n" Users are provide the key GVUEYVDJMNSFIMD2 and we now add this encrypted key 3qqb/Yr1gSblF99F8/XkgJVFG5vs9KG5OwflwLHkU9I= to AD. The F5 can then decrypt the key and it works great. However, I now need to create a script that will take the remain shared key we have in everybody account and encrypt it. I was hoping someone knew a little power shell or some other scripting language that could help me out of this jam!
BIG-IQ 6.0.1 and AD User Groups
This is a PoC for BIG-IQ, so I'm playing around with the system. I've set up AD as the Auth Provider, assigned a User Group for my team, and assigned Administrator Role. However when trying to authenticate, an error message says "User has no roles or group associations." I can't authenticate with my AD credentials until I also add my AD username under the Users list. This is different from my LTMs, which permits authentication based on a user's security group membership. Do I have to add specific users for every account that needs access to the BIG-IQ?Complete MFA solution with GA stored in Active Directory
Problem this snippet solves: All modern business applications require Multi-Factor Authentication (MFA) to be used for remote access by employees. There are many vendors on market selling enterprise MFA solutions that may be utilised with F5 BIG-IP Access Policy Manager (APM). Those solutions are complex and allow customers to create flexible policies which allow them to decide when and whom will be authorised to access protected applications. But what about those customers which have no needs for using complex enterprise solutions or does not have adequate budget for such spendings? How to use this snippet: For those customers I would like to present my One-Time Password (OTP) application which requires BIG-IP LTM/APM/iRulesLX. Shared secret value is stored in Active Directory and QR code is generated in user's browser. All you need after implementing this application on your BIG-IP is. to ask your users to get any OTP-compatible mobile application, like Google Authenticator or Microsoft Authenticator Please see https://github.com/akhmarov/f5_otp/ for instructions UPDATE 1: New version now support APM 15.1+ Modern Customization UPDATE 2: Added trusted device support UPDATE 3: Added multi-tenancy support Tested this on version: 15.1Help troubleshooting AD Auth on F5 LB
Hi All. We're trying to configure AD auth and running into major issues. The strange thing is that telnet succeeds, I've reset and confirmed the bind user's password, and have reset and confirmed the test AD user password. Any help will be much appreciated! successful connection on 389 and 3269 - [admin@lb1:Standby:Changes Pending] log # telnet <AD IP> 3269 Trying <AD IP>... Connected to <AD IP>. Escape character is '^]'. [admin@lb1:Standby:Changes Pending] log # telnet <AD IP> 389 Trying <AD IP>... Connected to <AD IP>. Escape character is '^]'. In /var/log/secure, I see - Apr 21 19:43:37 lb1 warning httpd[8867]: [warn] [client <IP>] AUTHCACHE Error processing cookie DE71A3EB7E09C285EE804A880D473DA378684CCB - Cookie user mismatch, referer: https://<F5 IP>/tmui/login.jsp?msgcode=1& Apr 21 19:43:37 lb1 warning httpd[8867]: [warn] [client <IP>] AUTHCACHE Error processing cookie F69E5702BC54A5517DD6CF34EFB66C09E2939501 - Cookie user mismatch, referer: https://<F5 IP>/tmui/login.jsp?msgcode=1& Apr 21 19:43:37 lb1 warning httpd[8867]: [warn] [client <IP>] AUTHCACHE Error processing cookie ED2B8DAF7E221E2572F7094214AAB91947FE048D - Cookie user mismatch, referer: https://<F5 IP>/tmui/login.jsp?msgcode=1& Apr 21 19:43:37 lb1 err httpd[8867]: pam_ldap: ldap_simple_bind Can't contact LDAP server Apr 21 19:43:37 lb1 err httpd[8867]: pam_ldap: reconnecting to LDAP server... Apr 21 19:43:37 lb1 err httpd[8867]: pam_ldap: ldap_simple_bind Can't contact LDAP server Apr 21 19:43:37 lb1 warning httpd[8867]: pam_unix(httpd:auth): check pass; user unknown Apr 21 19:43:37 lb1 notice httpd[8867]: pam_unix(httpd:auth): authentication failure; logname= uid=48 euid=48 tty= ruser= rhost=<IP> Apr 21 19:43:38 lb1 err httpd[8867]: [error] [client <IP>] AUTHCACHE PAM: user 'devf5test' (fallback: false) - not authenticated: Authentication failure, referer: https://<F5 IP>/tmui/login.jsp?msgcode=1& Apr 21 19:43:38 lb1 info httpd(pam_audit)[8867]: User=devf5test tty=(unknown) host=<IP> failed to login after 1 attempts (start="Wed Apr 21 19:43:37 2021" end="Wed Apr 21 19:43:38 2021"). Apr 21 19:43:38 lb1 info httpd(pam_audit)[8867]: 01070417:6: AUDIT - user devf5test - RAW: httpd(pam_audit): User=devf5test tty=(unknown) host=<IP> failed to login after 1 attempts (start="Wed Apr 21 19:43:37 2021" end="Wed Apr 21 19:43:38 2021").message re password expiration
I am trying to test this feature. In an AD query I had the setting "Prompt user to change password before expiration" configured to 4 days. In the actual AD I set the policy to have the password changed when it is 2 days old. Unfortunately we receive no message prompt. The user used to connect to the AD is a Domain Admin so should have all privileges. Also tried clearing the "Password Security Object Cache Lifetime". Nothing helped. Any ideas as to what I am missing? Thanks, Vered
