LDAP configuration

Could you clarify what you mean by "configuring LDAP"? Does this mean you are trying to configure it so that users can authenticate with Active Directory credentials, or something else? You also might want to post what software version you are running.

As SMP suggested, it would help if you could clarify whether you want to configure client or admin authentication.

 

 

For admin auth, I've tested this config successfully on 9.4.8:

 

 

Auth method: Remote Active Directory Auth

 

Host: 1.1.1.1

 

Port: 389

 

Remote Dir Tree: OU=Admin User Accounts, OU=UserAccounts, DC=my_subdomain, DC=my_domain, DC=my_tld

 

Scope: sub

 

Bind account: readonly_account@my_subdomain.my_domain.my_tld (not sure this is required if you can use the "User Template" configuration for authentication)

 

User Template: %s@my_subomdian.my_domain.my_tld

 

SSL: Disabled

 

 

Aaron

 

sorry for the lack of information.

 

 

I'm trying to configure LDAP for client authentication against AD.

 

Do I need to configure a service account in AD for the F5?

 

 

BIG-IP 9.4.6 Build 401.0 Final

 

 

Thanks

 

 

I am also trying to integrate the F5 with AD for Management user (admin ) authentication. I am getting below error

 

 

Mar 6 13:12:56 F5device httpd[25036]: pam_ldap: error trying to bind (Invalid credentials)

 

Mar 6 13:12:56 F5device httpd(pam_unix)[25036]: authentication failure; logname= uid=48 euid=48 tty= ruser= rhost=10.20.66.59 user=XXXX

 

Mar 6 13:12:59 F5device httpd[25036]: [error] [client 10.20.66.59] AUTHCACHE PAM: user 'XXXX' - not authenticated: Authentication failure, referer: https://F5device.com/

 

 

 

I am using below version

 

 

:Active] config b version

 

Kernel:

 

Linux 2.4.21-9.3.1.37.0smp

 

Package:

 

BIG-IP Version 9.3.1 66.0

 

Hotfix HF5 Edition

 

 

My ldap config looks like below (/etc/ldap.conf)

 

 

host 161.228.215.112

 

base OU=Service,OU=PBUsers,DC=subdomain1,DC=domain,DC=global,DC=pvt

 

ldap_version 3

 

binddn binduser@subdomain1.domain.global.pvt

 

bindpw passowrd

 

port 389

 

scope sub

 

timelimit 30

 

bind_timelimit 30

 

idle_timelimit 3600

 

pam_login_attribute uid

 

pam_check_host_attr no

 

usertemplate uid=%s,OU=PBUsers,DC=usdby1-pbiadp01,DC=pbi,DC=global,DC=pvt

 

Nagesh, your error is giving you invalid credentials. I'd double check your DN and password for your query userid. Also, check your "usertemplate" definition. I'm not running version 9 so I can't say for certain.

 

 

Opers13, Yes. You do need an ID that has privileges to query your AD structure and verify users.

 

 

Here is a sample of the sections in our bigip.conf file that show remote roles for specific groups for admin and operators. Our generic login lets anyone come in as a guest. This allows us to specify remote groups with enhanced privileges.

 

 

remoterole {

 

role info {

 

ltm_admins {

 

attribute "memberOf=CN=ltm_admins,CN=Groups,DC=ad,DC=redmond,DC=microsoft"

 

line order 1000

 

role "administrator"

 

user partition "all"

 

}

 

ltm_operators {

 

attribute "memberOf=CN=ltm_operators,CN=Groups,DC=ad,DC=redmod,DC=microsoft"

 

line order 1010

 

role "operator"

 

user partition "all"

 

}

 

}

 

}

 

 

auth ldap system-auth {

 

search base dn "dc=ad,dc=redmond,dc=microsoft"

 

bind dn "cn=adsearch,cn=users,dc=ad,dc=redmond,dc=microsoft"

 

bind pw "ourawesomesecretpassword"

 

login attr "uid"

 

user template "%s@ad.redmond.microsoft"

 

servers "192.168.1.2"

 

}

 

 

 

I'm not a Microsoft employee and the above information are just for examples.

 

 

Jason