TMOS 11.5.4 Admin Remote Authentication with LDAP issue
Hi, I am configuring Remote AD authentication for BigIP administrators. I already done it for some other customers without issues. The system authentication configuration is: auth ldap system-auth { check-roles-group enabled login-attribute samaccountname search-base-dn DC=xxxxx,DC=local servers { 1.2.3.4 } user-template %s@xxxx.local } I tried by changing authentication to LDAP but the result is the same. When trying to authenticate, I can see the request and response with tcpdump : With ldapsearch I got the expected answer. But the administrator is never authenticated and the following message appears in log files: [root@bigip:Active:Standalone] config grep 24310 /var/log/audit May 9 14:00:55 bigip info sshd[24310]: 01070417:6: AUDIT - user root - RAW: pam_ldap initiating connection to non-SSL ldap server 1.2.3.4 on port 389. May 9 14:09:41 bigip info sshd[24310]: 01070417:6: AUDIT - user root - RAW: pam_ldap validating credentials for user 'admin_test' against non-SSL ldap server 1.2.3.4 on port 389. May 9 14:09:43 bigip info sshd[24310]: 01070417:6: AUDIT - user root - RAW: pam_ldap terminating connection to non-SSL ldap server 1.2.3.4 on port 389. May 9 14:09:43 bigip info sshd(pam_audit)[24310]: 01070417:6: AUDIT - user admin_test - RAW: sshd(pam_audit): User=admin_test tty=ssh host=1.1.1.1 failed to login after 1 attempts (start="Mon May 9 14:00:52 2016" end="Mon May 9 14:09:43 2016"). [root@bigip:Active:Standalone] config grep 24310 /var/log/secure May 9 14:09:41 bigip err sshd[24310]: pam_ldap: ldap_search_s Can't contact LDAP server May 9 14:09:41 bigip notice sshd[24310]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=1.1.1.1 user=admin_test May 9 14:09:43 bigip info sshd(pam_audit)[24310]: User=admin_test tty=ssh host=1.1.1.1 failed to login after 1 attempts (start="Mon May 9 14:00:52 2016" end="Mon May 9 14:09:43 2016"). May 9 14:09:43 bigip info sshd(pam_audit)[24310]: 01070417:6: AUDIT - user admin_test - RAW: sshd(pam_audit): User=admin_test tty=ssh host=1.1.1.1 failed to login after 1 attempts (start="Mon May 9 14:00:52 2016" end="Mon May 9 14:09:43 2016"). Am I missing something or is there a bug in 11.5.4 HF1 version? I am sure authentication from F5 to AD servers is working fine as the same AD servers are used by APM.
BIG-IQ - Replacing bigip.conf file from old UCS
When I originally set up an initial BIG-IQ on some 7000 hardware chassis, it took me a long time to finally get the LDAP settings correct. We've since removed those chassis and I'm working in a VE for BIG-IQ. I'm following the steps here to extract specific files from a UCS. I'd like to restore the User Management > Auth Providers entirely, but cp /var/tmp/old/config/bigip/auth/* /config/bigip/auth/ doesn't appear to be working. Is there a better way to do this? Restoring from UCS but editing the management IP address? I'm open to ideas.
SSL client certificate LDAP Authentication Question
Hi all In a bid to try understand some of the lesser documented and possibly implemented features of LTM, I have been testing out the various authentication features LTM has to offer. I am at a point where one them - SSL client certificate LDAP authentication has left me a little stumped. I can get the feature to work at a basic level, that is, the client presents a certificate, the LTM extracts the username from the cert, performs bind to LDAP and authenticates the user successfully. What I wish to do now is ensure that the client is part of a specific AD group before granting permission to resources. I believe the *Group Base DN* and *Valid Groups* settings are what I need to focus on. However, regardless of what I enter here, I cannot get this to work. My thinking is that the Group Base DN should contain a value similar to this: CN=Sales,CN=Users,DC=company,DC=com Where 'Sales' is an AD group the users I wish to authenticate are part of. I then add the keyword 'Sales' to the Valid Groups box, for a final config like so: ltm auth ssl-cc-ldap LAB-SSL-LDAP-CONFIG { admin-dn CN=Administrator,CN=Users,DC=lab,DC=com admin-password group-base CN=Sales,CN=Users,DC=lab,DC=com servers { } user-base CN=Users,DC=lab,DC=com user-key sAMAccountName valid-groups { Sales } Yet, with this config it fails and the Wireshark trace I take doesn't actually provide much clue. In fact I can't even see the LTM attempt to query LDAP for the 'Sales' group. Any idea on where I'm going wrong? Has anyone tried this out successfully? Thanks
LDAP issue post v14.1 upgrade?
We've been using LDAP group lookups for admin login auth against our devices running v12.x - 13.x with no issues, however post v14.1 upgrade this no longer works. After experimentation we can look up individual accounts but the Remote Role Groups no longer seem to find our users. Has anyone else encountered similar or do I need to raise a support case? Example group lookup is: memberOf=cn=F5 Admin Users,ou=PermissionGroups,ou=AdminGroups,ou=Security,dc=ad,dc=companyname,dc=com
Multple VPE LDAP SearchDN entries
I have an LDAP query set up in VPE. I is working using the SearchDN I inserted. However I would like to add a second Search DN into this field. Is this possible? Basically I just want to search a second OU without having to open it up to a larger AD tree. My hope would be to have some thing like this: OU=Accounts,DC=domain,DC=domain OU=Users,DC=domain,DC=domain Just not sure if having multiple will work, and if this format will work or if I need to use an operator of some sort.
APM different authentication mechanism based on Hostname
Hello, i wanted to know if it is possible to have for example two different authentication mechanism in one Access Profile and based on the URL which i enter the APM decides which one is used. Configuration: - One virtual server, assigned with the ECA profile in order to use NTLM authentication ltm virtual vs_app-login-sso { description "App for LDAP Login and NTLM SSO" destination 10.254.3.181:https ip-protocol tcp mask 255.255.255.255 pool pool_app-qual profiles { Login_SSO { } clientssl-insecure-compatible { context clientside } eca { } http_redirect_rewrite_all { } rba { } tcp { } websso { } } rules { irule_ECA_NTLM_Auth } source 0.0.0.0/0 source-address-translation { type automap } translate-address enabled translate-port enabled vs-index 17 } iRule: when HTTP_REQUEST { ECA::enable ECA::select select_ntlm:/Common/ntlm_auth } And here is the Access Profile: So the first entry point is "Landing URI", the profile should decide when i come with the Login URL it should use LDAP Login Page and if i come with the SSO URL it should use NTLM. Both authentication are working when they are used in seperate profiles but not combined in one. Is this possible or not? Hope everything is described clearly, if not just ask :) Thanks, ChristophAD LDAP Authentication fails with mail as username
We are migrating from OID to AD LDAP. Oracle password works fine. Tried to replicate the configuration for AD LDAP. All is the same with the exceptions of a query at the beginning. The LDAP team is telling me they use userpassword attribute...I have also configured it to look for that attribute but it failed with invalid credentials. Oracle LDAP Auth OBJECT Search FIlter mail=%{session.logon.last.username} Variable Assign session.custom.uid = expr { [ mcget {session.logon.last.username}]} IF AUTH PASSES Variable Assign session.custom.mechanism = expr { "password" } AD LDAP Query OJBECT Search FIlter mail=%{session.logon.last.username} require attribute mail Variable Assign session.custom.uid = expr { [ mcget {session.logon.last.username}]} AD LDAP Auth OJBECT Search FIlter mail=%{session.logon.last.username} IF AUTH PASSES Variable Assign session.custom.mechanism = expr { "password" } It will fail auth, so the variable assign password never triggers. Thank you for any assistanceWhich IP does my F5 use to authenticate against Active Directory?
Hi, I'm currently trying to set up authentication on my F5 to use "Remote - Active Directory". When I log in to the F5 with my active directory account, which IP address is it going to use to talk to the domain controllers? Its management IP or a Self-IP? Thanks
