APM combine check for ldap group plus IP ACL
Hi, A client wishes to create an APM policy that will, amongst other things, do the following - The client has a group of users that have to meet two conditions to access the resource. We need to check in combination that the user is both a member of an AD group and that the group also matches an IP ACL. Can this be done using only APM, and if so, how? Or do we need to combine an IRULE and if so, is there a simple way to do this? (we have 30 groups that need to be matched to ACLs). Thanks, Vered
AD/LDAP Auth on rSeries F5-OS
AD/LDAP auth on F5-OS seems unnecessarily complicated compared to how TMOS handles it. Does anyone have this working in their environment? If so, can you explain which attributes are created (F5-F5OS-UID, F5-F5OS-GID, uidNumber, gidNumber, etc.) and if they are applied directly to the AD user and/or AD group? The config guide mentions that F5-F5OS-GID is the only required attribute (F5-F5OS-UID defaults to 1001). It's not clear to me if this attribute must be added directly to the user account or if it can be created in an AD group that the user is a member of. Then there is aSolution Article that says LDAP requires the user have a uidNumber and gidNumber. The AD group must have a gidNumber that corresponds to the associated group ID of the F5 system role. They provide an example of a AD user and AD group showing uidNumber and gidNumber, but there is no reference to F5-F5OS-GID.
HA Active Directory for F5 authentication
I have two f5 Big-IP wit LTM module in HA. I have configured Admin authentication in BIG-IP through Remote Active Directory and It works properly. The challenge is I have several synchronized AD servers and I would like to achieve HA in Big-IP authentication. I have created a pool with my AD servers with a custom LDAP monitor and It seems that works because all members look up in the pool. I also created a virtual server that listen in port 389 and use the AD server pool as default pool. However, when I set the host value to virtual server IP in system-->users-->authentication, all authentication attempts fail. Is required an special configuration in virtual server to make it work?binding issues - ldap monitor
I have set up an ldap monitor for a pool using TCP 636. No matter what I do, it doesn't work. I set up the user name: cn=username,ou=xxx,dc=yyy set the password set the Base: ou=xxx,dc=yyy set a filter: filtername=username I have tried setting it with all ports and with port 636 and even the standard ldap port (389). Also tried without the base, and also with no base and no filter. No matter what I try, the debug log keeps showing : Bind failed with username(-1): Can't contact LDAP server What am I missing? This isn't an active directory ldap - so maybe this is the issue? Any ideas would be very much appreciated. Thanks, VeredTrying to LDAP query an AD LDS field
I currently have an access policy where i need to LDAP query a custom field on a AD LDS server. I get the following error when I try: LDAP Module: Failed to bind with 'CN=testuser,OU=Service Accounts,OU=Groups,OU=Acounts,DC=domain,DC=com'. Internal (implementation specific) error. I first authenticate users with AD auth to a different set of AD servers. The AD LDS server only has user info and a few custom fields. I want to run an ldapsearch from the F5 but i don't really know the syntax. I do have the following info: - user account is testuser - user account password is testpassword - AD LDS Instance = DC=F5userAttribute,DC=domain,DC=com - AD LDS server IP is 10.18.24.210 - the field i need to pull data from is "customSecretKey" Just wondering what the syntax will be ldapsearch command.BIG-IQ - Replacing bigip.conf file from old UCS
When I originally set up an initial BIG-IQ on some 7000 hardware chassis, it took me a long time to finally get the LDAP settings correct. We've since removed those chassis and I'm working in a VE for BIG-IQ. I'm following the steps here to extract specific files from a UCS. I'd like to restore the User Management > Auth Providers entirely, but cp /var/tmp/old/config/bigip/auth/* /config/bigip/auth/ doesn't appear to be working. Is there a better way to do this? Restoring from UCS but editing the management IP address? I'm open to ideas.When using APM with an LDAP AAA server, are results cached?
I'm making extensive use of this sort of test: [mcget {session.ldap.last.attr.memberOf}] contains "My_Groupname" I was previously using Active Directory authentication and queries rather than LDAP, but changing to LDAP has cut down the login wait from up to 15 seconds down to several seconds. I'm almost certain that the APM is caching the membership results, however, because I make changes on the domain controller and the changes are not reflected on the BigIP - it seems to be using stale results. Any suggestions on the expected behavior, and how to change it? I know I can mix and and match AD and LDAP authentication and queries if necessary, and AD was also caching but didn't seem to be as long when I set it to 0 days, and I could manually clear that cache for testing purposes.
LDAP monitor behaviour
Hi Just wanted to check that my understanding of how an LDAP monitor behaves. Forgive the long background 😉 We had an incident where users couldn't authenticate because an AD Query in our access policy was failing. AD agent: Query: query with '(|(sAMAccountName=bloggsjoe))' failed Our current monitor still had the domain controller as up, so all users attempting to authenticate from that point failed. We forced the domain controller offline so it would send to the next in the pool (priority group), and users were able to authenticate. I am looking to configure an LDAP monitor to attach to the pool of controllers used to authenticate users. It is configured to do an ldap search looking for a particular account. I have mandatory attributes set to true, so if the search fails it should mark the member down. ltm monitor ldap /Common/ldap_dc_monitor { base "OU=Service Accounts,DC=prod,DC=local" chase-referrals yes debug no defaults-from /Common/ldap description "LDAP monitor for domain controllers used for auth" destination *:389 filter sAMAccountName=f5_apm interval 10 mandatory-attributes yes password *********** security tls time-until-up 0 timeout 31 username f5_apm@prod.local } I'm hoping this monitor will mimic the AD query, so if we have an occurrence where the primary domain controller has an issue with the search, it will be marked down and the next in the priority group will take over. If I change the filter to something I know will fail I can see the pool members get marked down. However what I wasn't expecting was it takes the full timeout before it gets marked down. I turned on debug and tailed the monitors log file for the primary controller. I could see the response from the controller come back straight away, but it still waits the full timeout before bringing the member down no attributes were received for filter 'SAMAccountName=blah' Is that expected behaviour? I was expecting the member to be marked down as soon as the above response was received Cheers, Simon
LDAP monitor with error : fork() failed: Cannot allocate memory
Hi Experts , We have LDAP VIP/pool which has custom LDAP health check monitor associated with it . But the health check monitor has marked the pool member as down with the error :fork() failed: Cannot allocate memory. If we change the monitor with default tcp , the pool will be up .and also we have F5 in cluster .So this issue is there only on the Active F5 , On standby f5 the pool is up with same LDAP custom montor . Dec 6 17:33:11 f5-lan-primary notice mcpd[6358]: 01070638:5: Pool /Common/pool_ldap_prd member /Common/192.168.1.11:636 monitor status down. [ /Common/m_ldap_prd: down; last error: /Common/m_ldaps_prd: fork() failed: Cannot allocate memory @2022/12/06 13:49:09. ] [ was up for 0hr:1min:1sec ] Dec 6 17:33:11 f5-lan-primary notice mcpd[6358]: 01070638:5: Pool /Common/pool_ldap_prd member /Common/192.168.1.12:636 monitor status down. [ /Common/m_ldap_prd: down; last error: /Common/m_ldaps_prd: fork() failed: Cannot allocate memory @2022/12/06 15:57:29. ] [ was up for 0hr:1min:1sec ] Can you please check and advice , if you are familiar with this error message ? Please note there is no issue with the memory on the F5 .Looks normal .
