Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

How do you get Big-IQ to work with Active Directory for authentication?

Does anyone know of a link to F5 documentation about how to get Big-IQ to work with Active Directory to authenticate users? I've worked with the LDAP auth setup on Big-IQ, and was able to get as far as getting a user account to automatically add to the box if it's present in AD. But what I really want to do is get it to behave like an LTM doing AD remote auth, specifically with these two features: 1. No access for users not in a specific AD group. 2. For those in a group, assign them admin rights automatically.

This seems much more difficult than the LTM because in Big-IQ you have to treat AD like a raw LDAP server, and I'm not an LDAP expert. But I imagine almost every using Big-IQ must have faced this, so I'm sure there's documentation about how to work with AD out there, I'm just having trouble finding it.

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi,

First, I would recommend to download LDAP Browser from Softerra. It makes the task of finding all the DNs, etc a whole lot easier.

http://www.ldapbrowser.com/download.htm

To start you need to go to "System" > "Configuration" and then click on the gear next to "HA Peer Group" then look at the "Auth Provider" tab. I included a screen shot from my lab. I had to add a name for the auth provider, a host IP address (or dns name) the bind user, root dn, and search filter (find this using the LDAP Browser).

Image Text

After you have this configured you can go to "System" > "Access Control" and add a new stub user account. I haven't setup a Authentication Group yet but wanted to get the basic info to you.

Click the plus (+) in the "Users" ribbon. Add the username, select the auth provider and then use the ldap browser to find the DN for the user.

Image Text

After you click "Add" then you can go back into the user by clicking the username and then you will see a select box to set the User Roles. Here I selected "Administrator".

Image Text

After you save this you can then attempt to login.

Image Text

This should let you in with the permissions set.

If you want to use remote groups keep playing around and if I have time to set it up then I will post back.

-Seth

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

First you must setup your LDAP authentication under BIG-IQ System. Docs for that are here: https://support.f5.com/kb/en-us/products/big-iq-centralized-mgmt/manuals/product/bigiq-central-mgmt-initial-setup-4-6-0/4.html#unique_78898411

After your LDAP auth provider is setup, you can assign users and groups to roles here: https://support.f5.com/kb/en-us/products/big-iq-centralized-mgmt/manuals/product/bigiq-central-mgmt-device-4-6-0/9.html#unique_1118044730

Hint, if the group search button does not populate a list of groups, you need to go back and edit your LDAP auth provider settings in step 1 above.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi Kyle. I've tried that, but I seem unable to get the correct settings for LDAP (my remote group list does not populate). Are there any examples of successful AD configurations that you know of? I'm guessing I have some of the fields wrong, like some of the search filters or attribute fields, and I'm sure they're probably the same for any AD implementation since they generally have the same structure and attributes, so I'm wondering if you have any examples of what goes into them?

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Thanks guys. I appreciate the input, because this is pretty much what I had. I keep getting an "Unable to connect to LDAP provider" error on the login page, but when I use the ldapsearch command per sol11072 and sol15811 things work just fine. So since those commands work and I pretty much match what you guys have, I'm thinking this might be a bug in 4.6? I'm opening a support case with F5 and will report back if that turns out to be the case.

Symptoms are:

  1. On the logon page on the GUI, receiving an "Unable to connect to LDAP provider", despite the ldapsearch command connecting fine.

  2. I see the following in the restjavad.0.log:

    [root@bigiq.example.com:Active] log # tail -f restjavad.0.log
    [WARNING][8909][09 Dec 2015 16:22:46 UTC][8100/cm/system/authn/providers/ldap/47e4354d-73e8-43aa-b9ab-7d75f5e7b11a/login LdapProviderLoginWorker][completed] Unable to connect to LDAP provider 10.0.0.1
    [I][8910][09 Dec 2015 16:22:46 UTC][8100/shared/authn/login AuthnWorker][failed] User test_account failed to login using the https://localhost/mgmt/cm/system/authn/providers/ldap/47e4354d-73e8-43aa-b9ab-7d75f5e7b11a/login authentication provider
    

Any ideas?

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

a case is probably your best bet at this point.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Had the same issue this morning and figured it out.

When using the ldap search the syntax didn't match the boxes listed in the default settings.

To resolve it I changed the bind user to just be the username .... no CN= in front of it so it uses the username exactly like the ldapsearch command line.

Then I changed the search filter to (sAMAccountName={username}) .... after that it worked :)

Let me know if that helps.

0
Comments on this Answer
Comment made 03-Feb-2016 by Steve_245 123
Thanks David. This helped me. I didn't have to modify bind username field, but modifying the search filter as you specified got single users to work properly. I'm still trying to figure out the search filter field for the User Groups. I can'd determine what it's looking for there.
0
Comment made 25-Apr-2017 by Chris_FP 163

Did you ever manage to get the search filter working for the User Groups. I am hitting the same problem in that the Big-IQ will authenticate the users ok and it populates the users with the verified LDAP users but it isn't picking up the group mapping.

I can set it manually in Users but that defeats the purpose of having groups to do this.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

In case of using ldaps. I can configure the SSL checkbox but where do I have to import the corresponding SSL certificate to communicate via ldaps?

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Ok I had this exact issue today and have got this working with Active Directory groups on the BIG-IQ, my configuration is as follows:

Bind User: Required

Bind Password: Required

Root DN: DC=contoso,DC=com

Authentication Method: Simple

Search Scope: Subtree

Search Filter: (sAMAccountName={username})

User Display Name Attribute: displayName

Group Display Name Attribute: cn

Group Search Filter: (&(ObjectCategory=Group)(cn=F5*))

Group Membership Filter: (|(member={userDN})(uniqueMember={userDN}))

Note my groups contain F5 in the name which is referenced in the group search filter

Now go and create a user group selecting LDAP as the authentication method, in the remote group filter leave blank and select search this should populatea drop down box with all AD groups that match the criteria above, select the appropriate group and map a role and you should be able to login as long as the account is a member of the group.

Hopefully this helps someone

0
Comments on this Answer
Comment made 3 months ago by Mohammed M Irfan 116

Hi Raheem,

Can you please explain with examples: we are using BIG-IQ 6.1.0v

Bind User: Required   <<<< for this

Bind Password: Required   <<<< for this

Root DN: DC=contoso,DC=com

Authentication Method: Simple

Search Scope: Subtree

Search Filter: (sAMAccountName={username})

User Display Name Attribute: displayName

Group Display Name Attribute: cn

Group Search Filter: (&(ObjectCategory=Group)(cn=F5*))

Group Membership Filter: (|(member={userDN})(uniqueMember={userDN}))
0