Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Questions and Answers


Loading

Submitting

Need help to configure BIGIP LTM to use MS Active Directory for authenticating BIGIP system user accounts for MGMT Interface

Hi, I am doing one BIGIP LTM Virtual Edition 10.1 ( 90 days trial) setup in our lab to test the appliance. In this process I was trying to configure the appliance to use Microsoft 2008 Active Directory server for authenticating system user accounts, that is, traffic that passes through the management interface (MGMT). Kindly note that this bos don't have APM installed. I use the following procedure to configure the AD authentication -

1.system->users->authentication 2.Select 'Remote-Active Directory'. 3.Give IP address of the AD server in the Host field. 4.use the default port 389, as we have not changed the default port. 5.Give the Remote Directory Tree details --> dc=domain_name,dc=com 6.Scope --> Sub 7.In the bind setting specify the DN --> accountname and the relevant password and confirm the same. 8. No user template. 9. SSL disabled as we did not use and SSL for the AD server. Now this setup is not working. The appliance does not pull AD account information. I am not sure if I have missed some thing in this configuration. I desperately need help to fix this setup as I need to complete the setup at the earliest possible.Kindly let me know if you need any more information from my side.

Thanks

Partha

7 Answer(s):

Here is what our 10.2 ldap auth definition looks like in the bigip.conf file to our 2008 AD Directory server.

auth ldap system-auth {
   search base dn "dc=prod,dc=ad,dc=bigcompany"
   bind dn "cn=ldapverify,cn=users,dc=prod,dc=ad,dc=bigcompany"
   bind pw "ldapverifypassword"
   login attr "uid"
   user template "%s@prod.ad.bigcompany"
   servers "10.10.10.10"
}

This section in our bigip.conf defines the role for remote users.

remote users {
   default partition all
   default role guest
}

We use the following in our 10.2 LTM setup to define additional remote roles in addition to the default access granted AD accounts. This is also in the bigip.conf file.

remoterole {
   role info {
      slb_admins {
         attribute "memberOf=CN=slb_admins,CN=Groups,DC=prod,DC=ad,DC=bigcompany"
         console "disable"
         line order 1000
         role "administrator"
         user partition "all"
      }
      slb_appeditors {
         attribute "memberOf=CN=slb_appeditors,CN=Groups,DC=prod,DC=ad,DC=bigcompany"
         console "disable"
         line order 1020
         role "app editor"
         user partition "all"
      }
      slb_operators {
         attribute "memberOf=CN=slb_operators,CN=Groups,DC=prod,DC=ad,DC=bigcompany"
         console "disable"
         line order 1010
         role "operator"
         user partition "all"
      }
   }
}

Hi Partha,

Jason's example should do the trick for you. I'd suggest not using the 10.1 VE trial edition as it is very old, included LTM only and had feature restrictions.

If you want to evaluate VE, you could contact an F5 SE and request an eval license (www.f5.com/howtobuy). It will work for all current VE versions and support all the modules.

Aaron

Thanks Jason & Aaron for your prompt response. Let me try to get the latest version and try in that.

Hi, I have deployed 11.3 virtual edition and enabled APM module. I have tried all the way to configure the authentication, but failed which is quite frustrating. I am sharing whiat I have did -

System >> Authentication Authentication Source

User Directory: Remote - Active Directory

Host : 172.16.X.X

Port: 389

Remote Directory Tree: OU=ltm,DC=poc,DC=ltmtest,DC=com

Scope: Sub

Bind DN: CN=ltmuser,OU=ltm,DC=poc,DC=ltmtest,DC=com

Check Member Attribute in Group: Enabled

SSL: Disabled

External Users:

Role: Administrator

Terminal Access: tmsh

All the user accounts that need to logon are in the LTM OU. I have tried the config of Jason, but that also not working for me. If anybody have a good step by step guide of this implementation or video, kindly share with me.

Thanks

The configs I posted were specifically for 10.2. 11.3 has many many config file changes.

Thank you all guys for your support, my issue has been resolved. The DNS setting was wrong, after correct it AD integration start working.

what wrong to the DNS settings? I encountered the same issues too. can know if the settings below are correct? System >> Authentication Authentication Source User Directory: Remote - Active Directory Host : 172.16.X.X Port: 389 Remote Directory Tree: OU=ltm,DC=poc,DC=ltmtest,DC=com Scope: Sub Bind DN: CN=ltmuser,OU=ltm,DC=poc,DC=ltmtest,DC=com Check Member Attribute in Group: Enabled SSL: Disabled External Users: Role: Administrator Terminal Access: tmsh I found this in the log" f5.admin 0-0 httpd(pam_audit): User=f5.admin tty=(unknown) host=20.x.x.x failed to login after 1 attempts"

I've been able to get this working without SSL as described above. Has anyone got it working with SSL? I haven't found anything on DC yet that helps.

Hi,

I want to use AD authentication for GTM to logon. Below is my configuration is working fine for OU level&User level, now i want to use same GTM with a AD security group and members of those group can logon to GTM console based on mentioned role(administrator/guest). Please help me to configure the same, i have tried memberOF=CN=IT_GTM_Admin,OU=all_SG,DC=domainname,DC=co,DC=in in remote directory tree but its not working.

User Directory: Remote - Active Directory

Host : 10.43.x.x

Port: 389

Remote Directory Tree: CN=Users,DC=domainname,DC=co,DC=in

Scope: Sub

Bind DN: CN=gtmuser,CN=Users,DC=persistent,DC=co,DC=in

Check Member Attribute in Group: Enabled

SSL: Disabled

External Users:

Role: Administrator

Terminal Access: tmsh

Anil, Does your bind DN (CN=gtmuser,CN=Users,DC=persistent,DC=co,DC=in) have access to the RDT (CN=Users,DC=domainname,DC=co,DC=in)? Typically, these would be within the same domain. Here you have specified [effectively] persistent.co.in and domainname.co.in. --Alan

sorry, that was a typo, domain name is persistent.co.in. Let me explain clearly, i have a user - gtmuser and it is in Indiausers OU and GTM_admins group and gtmuser added in gtm_admins group. If i specify Remote Directory Tree: CN=gtmuser,OU=Indiausers,DC=persistent,DC=co,DC=in, authentication working fine and if i mentioned Remote Directory Tree: OU=Indiausers,DC=persistent,DC=co,DC=in then all users who are there in Indiausers OU are able to logon to GTM management console(either guest/administrator). The problem is if i specify Remote Directory Tree: CN=GTM_admins,OU=SecurityGroups,DC=domainname,DC=co,DC=in (DN for group)then authentication is not working, its giving me logon failed error. I cannot move those who are admins of GTM to any other OU, i have to be use a security group. need help on this asap.

Your answer: