Insert client ip address on ldap VS
Hello team, I have a question I hope someone can answer. We have received a request to know if there is any chance to add client ip address on an ldap query. We have an ldap and ldaps virtual server with SNAT (can't disable it because F5 is not default gateway) and AD administrators requested it they could receive client ip address to know which device is sending login authentication failures. I have been investigating but couldn't find how to to do this. I don't know if this should be by creating an iRule to modify tcp payload or tcp options. Has anybody done this? Thanks in advance.
Why do we use username and password in Healthcheck Monitor ?
Hi Team , We have an LDAP VIP , and we could see the heathcheck monitor which is applied to the pool has username password enabled and used . Why do we need to authenticate first before checking the services on the server ? When do we really need to enable username/pasword option in monitoring ?
Basic Auth to OAuth 2.0 Client proxy and vice versa
I am a bit of a dabbler in Big-IP configuration and iRules and not an expert, so please forgive any ignorance on my part. I am wondering whether it is possible to use the F5 Big-IP APM to act as an authentication proxy that (1) receives requests with a Basic Auth header that is validated against either a list of static usernames and password or an Active Directory/LDAP server. After authenticating the request, the Big-IP should (2) request a token from an external OAuth 2.0 authorization server using the client_credentials grant type (or get an existing token from cache). This external authorization server does not support OIDC. After receiving the token it should (3) be added to the downstream request as an "Authorization: Bearer" header. We would also like to have the reverse of the above, where a request is (4) received on the F5 with an OAuth 2.0 Bearer token which is then authenticated and (5) replaced by a Basic Auth header on the downstream request that leaves the F5. From prior experience with a Big-IP appliance and custom iRules, I'm fairly certain that (1) and (5) are possible. Regarding (2), when configured as an OAuth client, Access Policy Manager® (APM®) supports authorization code and resource owner password credentials grant types. https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-sso-13-0-0/37.html However, it would seem that there is a workaround available to use a client_credentials grant type. But I'm not sure if the external authorization server not supporting OIDC, is going to be a problem. https://devcentral.f5.com/s/articles/allow-support-of-grant-type-client-credentials-1161 Most of the use cases I have read up on seem to cover the Big-IP performing the OAuth 2.0 authentication on the incoming request/acting as a resource server instead of adding the token to the outgoing request as is required in (3). There are some articles which almost seem to cover the topics I need, but not exactly: https://devcentral.f5.com/s/feed/0D51T00006i7jtFSAQ https://clouddocs.f5.com/training/community/iam/html/class2/module2/module2.html This iRule function also seems to provide a mechanism for caching OAuth 2.0 tokens, but where exactly the originate from is not completely clear to me: https://clouddocs.f5.com/api/irules/ACCESS__oauth.html In (3) it is certainly possible to add the "Authorization: Bearer" header in an iRule once it has been obtained, but I'm kind of stuck on how to obtain it in an iRule or link to the APM configuration elements. Firstly, can someone please let me know if what I am asking is it all possible and secondly if you could provide some details on the murky/missing parts of my solution.APM LDAP Query for Group Member?
Hi all, Since we're using a standard LDAP Server with DN of ou=People and ou=Groups I try to get with a LDAP Query the Group Membership of a specific user. The Group entry in the LDAP is of objectClass "GroupOfNames" and has a member Attribute. It seems that with the standard LDAP Query Box in the Branch Rules I can select "User is a mamber of" but this seems only to support the AD memberOf attribute to search for. So is it that the LDAP Query Box is built only for querying AD with LDAP? I'm looking now for the possibility to get the Group Membership of a generic LDAP with the above objectClass of the "GroupOfNames". Any hints or examples howto get this with an APM Policy? Many thanks Best regards, Peter
Big-IQ LDAP User Bind Template
We can't get the Big-IQ to authenticate like our Big-IPs and need help. Our Big-IPs use the user bind template of %s@exx.wxx.bxx.corp and we log in using our user id, not our full name. On the Big-IQ, if I use my full name in the Bind User DN like, CN=John Doe,OU=xxx,DC=xxx,DC=xxx,DC=xxx,DC=corp and my password, LDAP authentication works. If I try to use my user ID like, CN=jdoe,OU=xxx,DC=xxx,DC=xxx,DC=xxx,DC=corp, it doesn't work. If I try to use the User Bind Template in Big-IQ instead, like CN={username},OU=xxx,DC=xxx,DC=xxx,DC=xxx,DC=corp, it fails. I assume that because I log in with my user ID, not my name, that is what is being passed as my user DN. The search filter is set to (&(sAMAccountName={username})). I don't understand why a template works on the Big-IP, but not Big-IQ. How does the user ID get translated to the full name so bind authentication works on the Big-IP? Is there a template syntax that will make that substitution?
Help troubleshooting AD Auth on F5 LB
Hi All. We're trying to configure AD auth and running into major issues. The strange thing is that telnet succeeds, I've reset and confirmed the bind user's password, and have reset and confirmed the test AD user password. Any help will be much appreciated! successful connection on 389 and 3269 - [admin@lb1:Standby:Changes Pending] log # telnet <AD IP> 3269 Trying <AD IP>... Connected to <AD IP>. Escape character is '^]'. [admin@lb1:Standby:Changes Pending] log # telnet <AD IP> 389 Trying <AD IP>... Connected to <AD IP>. Escape character is '^]'. In /var/log/secure, I see - Apr 21 19:43:37 lb1 warning httpd[8867]: [warn] [client <IP>] AUTHCACHE Error processing cookie DE71A3EB7E09C285EE804A880D473DA378684CCB - Cookie user mismatch, referer: https://<F5 IP>/tmui/login.jsp?msgcode=1& Apr 21 19:43:37 lb1 warning httpd[8867]: [warn] [client <IP>] AUTHCACHE Error processing cookie F69E5702BC54A5517DD6CF34EFB66C09E2939501 - Cookie user mismatch, referer: https://<F5 IP>/tmui/login.jsp?msgcode=1& Apr 21 19:43:37 lb1 warning httpd[8867]: [warn] [client <IP>] AUTHCACHE Error processing cookie ED2B8DAF7E221E2572F7094214AAB91947FE048D - Cookie user mismatch, referer: https://<F5 IP>/tmui/login.jsp?msgcode=1& Apr 21 19:43:37 lb1 err httpd[8867]: pam_ldap: ldap_simple_bind Can't contact LDAP server Apr 21 19:43:37 lb1 err httpd[8867]: pam_ldap: reconnecting to LDAP server... Apr 21 19:43:37 lb1 err httpd[8867]: pam_ldap: ldap_simple_bind Can't contact LDAP server Apr 21 19:43:37 lb1 warning httpd[8867]: pam_unix(httpd:auth): check pass; user unknown Apr 21 19:43:37 lb1 notice httpd[8867]: pam_unix(httpd:auth): authentication failure; logname= uid=48 euid=48 tty= ruser= rhost=<IP> Apr 21 19:43:38 lb1 err httpd[8867]: [error] [client <IP>] AUTHCACHE PAM: user 'devf5test' (fallback: false) - not authenticated: Authentication failure, referer: https://<F5 IP>/tmui/login.jsp?msgcode=1& Apr 21 19:43:38 lb1 info httpd(pam_audit)[8867]: User=devf5test tty=(unknown) host=<IP> failed to login after 1 attempts (start="Wed Apr 21 19:43:37 2021" end="Wed Apr 21 19:43:38 2021"). Apr 21 19:43:38 lb1 info httpd(pam_audit)[8867]: 01070417:6: AUDIT - user devf5test - RAW: httpd(pam_audit): User=devf5test tty=(unknown) host=<IP> failed to login after 1 attempts (start="Wed Apr 21 19:43:37 2021" end="Wed Apr 21 19:43:38 2021").LDAP monitor with error : fork() failed: Cannot allocate memory
Hi Experts , We have LDAP VIP/pool which has custom LDAP health check monitor associated with it . But the health check monitor has marked the pool member as down with the error : fork() failed: Cannot allocate memory. If we change the monitor with default tcp , the pool will be up .and also we have F5 in cluster .So this issue is there only on the Active F5 , On standby f5 the pool is up with same LDAP custom montor . Dec 6 17:33:11 f5-lan-primary notice mcpd[6358]: 01070638:5: Pool /Common/pool_ldap_prd member /Common/192.168.1.11:636 monitor status down. [ /Common/m_ldap_prd: down; last error: /Common/m_ldaps_prd: fork() failed: Cannot allocate memory @2022/12/06 13:49:09. ] [ was up for 0hr:1min:1sec ] Dec 6 17:33:11 f5-lan-primary notice mcpd[6358]: 01070638:5: Pool /Common/pool_ldap_prd member /Common/192.168.1.12:636 monitor status down. [ /Common/m_ldap_prd: down; last error: /Common/m_ldaps_prd: fork() failed: Cannot allocate memory @2022/12/06 15:57:29. ] [ was up for 0hr:1min:1sec ] Can you please check and advice , if you are familiar with this error message ? Please note there is no issue with the memory on the F5 .Looks normal .CRLDP Authentication : CRL lookup failed
Hi F5 community, I'm trying to use CRLDP Authentication on BigIP APM (12.0.0). This is for an ActivSync access with Certification credentials (Kerberos method). Everything works before adding CRLDP auth : Credentials are extracted from with client Certificat and used for Kerberos authentication. I have access to my emails. That part is great. As far as CRLDP concerned, I followed this configuration process : https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-on-12-0-0/16.print.html. To resum, I created the CRLDP AAA server and I associated to my access policy. And it's not working : reason 'No valid host found' CRL lookup failed for LDAP url. And I'm not surprised because I know that a user account is required to access my LDAP. Thing is I don't know how or where to configure it. Somebody's got a clue ? Cheers, Julien
iRules LX for APM password reset
We are attempting to use APM as a Self-Service Password Reset resolution. I can modify Active Directory attributes than to this article https://devcentral.f5.com/s/articles/apm-cookbook-modify-ldap-attribute-values-using-iruleslx-21850 , however, has anyone used iRules LX to reset a password. I'll validate the user first with other methods but want to reset a forgotten password rather than the APM built-in Kerberos API reset with the current password to update to a new one. Thanks
Trying to LDAP query an AD LDS field
I currently have an access policy where i need to LDAP query a custom field on a AD LDS server. I get the following error when I try: LDAP Module: Failed to bind with 'CN=testuser,OU=Service Accounts,OU=Groups,OU=Acounts,DC=domain,DC=com'. Internal (implementation specific) error. I first authenticate users with AD auth to a different set of AD servers. The AD LDS server only has user info and a few custom fields. I want to run an ldapsearch from the F5 but i don't really know the syntax. I do have the following info: - user account is testuser - user account password is testpassword - AD LDS Instance = DC=F5userAttribute,DC=domain,DC=com - AD LDS server IP is 10.18.24.210 - the field i need to pull data from is "customSecretKey" Just wondering what the syntax will be ldapsearch command.
