APM VPN LDAP POOL can't contact ldap server.
Hi, I have a question regarding APM VPN and LDAP authentication. When I configure the LDAP server using the direct LDAP Server IP, the authentication works fine. However, when I use a Pool with the same LDAP Server IP, it shows the error message: "Can't contact LDAP server." From the packet capture, it seems that no traffic is being sent out at all. Is there any specific configuration I need to adjust for LDAP Pool settings? Thank you.
AD/LDAP Auth on rSeries F5-OS
AD/LDAP auth on F5-OS seems unnecessarily complicated compared to how TMOS handles it. Does anyone have this working in their environment? If so, can you explain which attributes are created (F5-F5OS-UID, F5-F5OS-GID, uidNumber, gidNumber, etc.) and if they are applied directly to the AD user and/or AD group? The config guide mentions that F5-F5OS-GID is the only required attribute (F5-F5OS-UID defaults to 1001). It's not clear to me if this attribute must be added directly to the user account or if it can be created in an AD group that the user is a member of. Then there is a Solution Article that says LDAP requires the user have a uidNumber and gidNumber. The AD group must have a gidNumber that corresponds to the associated group ID of the F5 system role. They provide an example of a AD user and AD group showing uidNumber and gidNumber, but there is no reference to F5-F5OS-GID.
APM combine check for ldap group plus IP ACL
Hi, A client wishes to create an APM policy that will, amongst other things, do the following - The client has a group of users that have to meet two conditions to access the resource. We need to check in combination that the user is both a member of an AD group and that the group also matches an IP ACL. Can this be done using only APM, and if so, how? Or do we need to combine an IRULE and if so, is there a simple way to do this? (we have 30 groups that need to be matched to ACLs). Thanks, VeredHA Active Directory for F5 authentication
I have two f5 Big-IP wit LTM module in HA. I have configured Admin authentication in BIG-IP through Remote Active Directory and It works properly. The challenge is I have several synchronized AD servers and I would like to achieve HA in Big-IP authentication. I have created a pool with my AD servers with a custom LDAP monitor and It seems that works because all members look up in the pool. I also created a virtual server that listen in port 389 and use the AD server pool as default pool. However, when I set the host value to virtual server IP in system-->users-->authentication, all authentication attempts fail. Is required an special configuration in virtual server to make it work?binding issues - ldap monitor
I have set up an ldap monitor for a pool using TCP 636. No matter what I do, it doesn't work. I set up the user name: cn=username,ou=xxx,dc=yyy set the password set the Base: ou=xxx,dc=yyy set a filter: filtername=username I have tried setting it with all ports and with port 636 and even the standard ldap port (389). Also tried without the base, and also with no base and no filter. No matter what I try, the debug log keeps showing : Bind failed with username(-1): Can't contact LDAP server What am I missing? This isn't an active directory ldap - so maybe this is the issue? Any ideas would be very much appreciated. Thanks, VeredTrying to LDAP query an AD LDS field
I currently have an access policy where i need to LDAP query a custom field on a AD LDS server. I get the following error when I try: LDAP Module: Failed to bind with 'CN=testuser,OU=Service Accounts,OU=Groups,OU=Acounts,DC=domain,DC=com'. Internal (implementation specific) error. I first authenticate users with AD auth to a different set of AD servers. The AD LDS server only has user info and a few custom fields. I want to run an ldapsearch from the F5 but i don't really know the syntax. I do have the following info: - user account is testuser - user account password is testpassword - AD LDS Instance = DC=F5userAttribute,DC=domain,DC=com - AD LDS server IP is 10.18.24.210 - the field i need to pull data from is "customSecretKey" Just wondering what the syntax will be ldapsearch command.BIG-IQ - Replacing bigip.conf file from old UCS
When I originally set up an initial BIG-IQ on some 7000 hardware chassis, it took me a long time to finally get the LDAP settings correct. We've since removed those chassis and I'm working in a VE for BIG-IQ. I'm following the steps here to extract specific files from a UCS. I'd like to restore the User Management > Auth Providers entirely, but cp /var/tmp/old/config/bigip/auth/* /config/bigip/auth/ doesn't appear to be working. Is there a better way to do this? Restoring from UCS but editing the management IP address? I'm open to ideas.When using APM with an LDAP AAA server, are results cached?
I'm making extensive use of this sort of test: [mcget {session.ldap.last.attr.memberOf}] contains "My_Groupname" I was previously using Active Directory authentication and queries rather than LDAP, but changing to LDAP has cut down the login wait from up to 15 seconds down to several seconds. I'm almost certain that the APM is caching the membership results, however, because I make changes on the domain controller and the changes are not reflected on the BigIP - it seems to be using stale results. Any suggestions on the expected behavior, and how to change it? I know I can mix and and match AD and LDAP authentication and queries if necessary, and AD was also caching but didn't seem to be as long when I set it to 0 days, and I could manually clear that cache for testing purposes.
