Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

APM authenticate user to multiple AD groups

Hello All:

I hope someone can help me with this. I have recently deployed a private cloud on vCloud Director 5.5. We run a Development and Test Lab that have multiple projects running at any given time. We also have several different companies collaborating on different projects. Do to this fact, there are customers that require access to some projects but not others.

I have found that as soon as I complete an AD Query that satisfies a Group membership, APM quits searching and provides resources allowed in that Resource Assignment. Unfortunately, there may be a project that authenticates to a different group later in the APM Policy. The user never gets to see this resources displayed.

I have devised an If/Then logic that searches through each possible combination of AD Groups. We currently have only four different AD groups that a user could authenticate. This APM Policy is huge to cover all the scenarios. I believe with further growth that this will be unmanageable. Am I just missing something on how to lay out the policy to support this deployment, or does anyone have any suggestions on how to do this differently? Any help would be greatly appreciated.

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Did you try to work with the option "Nested Groups" in your AD authentication ?
It will help you to avoid this kind of problems as for each group, the APM will check your conditions.

You would have to define only one ressource assign box with your groups membership conditions.
Here is a solution link to use nested groups : http://support.f5.com/kb/en-us/solutions/public/12000/100/sol12193

0
Comments on this Answer
Comment made 24-Sep-2014 by fwebb 7
Thomas, I think this is the best solution. I have been able to significantly reduce the branches off my APM policy. Thank you.
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi,

Into your Visual Policy Editor (VPE) when you want to split your configuration depending on group membership, you have to do that :

  1. Create a macro which will give access to your applications
  2. Click on the "+" and choose "Empty"
  3. Add a branch rule with the condition : Simple, Agent Sel : AD Query, Condition : User is a member of
    Into the box you have to define the LDAP filter.
  4. Create as many branches as you have groups
  5. Then your clients will match resources behind only if they match your conditions.

I hope this is clear enough.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Thomas, Thank you for your reply. I am tracking and have completed that design, for the most part. I have attached diagram of the macro I have created which satisfies all the current possibilities of AD group associations. It just seems as if this will become unmanageable as the infrastructure grows.

Image Text

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

On which version are you running on ?
Also, why do you use the same macro whether the result is "Success" or "Fail" ?

I think you can optimize it, the problem is just to understand every scenario you can encounter.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

On which version are you running on ?
Also, why do you use the same macro whether the result is "Success" or "Fail" ?

I think you can optimize it, the problem is just to understand every scenario you can encounter.

0
Comments on this Answer
Comment made 19-Sep-2014 by fwebb 7
Thomas, I am running version 11.4.1 HF4. I use the same macro to avoid having to define the Member of for the AD Query. Each branch represents all the possible combinations of group memberships. In the example above, I have 5 groups: Admin, 3, 8, Applications and Models and Simulation. There were only be Administrators accessing Administrative assets. After that though, depending on who the user is they could be members of any combination of groups based on what they need access to.
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

I just wanted to give an update. I ended up configuring an AD Group Resource Assign. This took care of any issues I had with users being part of multiple AD groups.

Thank you again for all the assistance.

0
Comments on this Answer
Comment made 19-Jun-2015 by Ali Khan 57
Hi, i know this thread is old but by any chance if you get this can you please share if you had to add expressions with AD Group Resource assign option. i have same scenario as yours and was looking for some guidance. Thanks in advance
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

You're welcome, it's a pleasure to read that everything goes fine for you!

0