Forum Discussion

Jim_24689's avatar
Jim_24689
Icon for Nimbostratus rankNimbostratus
Mar 12, 2014

Having trouble configuring AD group authentication and authorization.

Hello , I am try to deploy AD authentication and privileges by AD group. The goal is no local user accounts.

 

F5 LTM V10.2.4

 

Here is the configuration which allows authentication but applies guest privilege (RO). I am sure that ADMIN_LTM_SUPPORT exists in AD and that I am a member of it. It would seem that I am being logged in as guest and not as an administrator associated with ADMIN_LTM_SUPPORT. If I change the auth type to "Remote Active Directory" , authentication fails as well. Our AD administrator indicates that the attributes associated with the group are the following:

 

ADMIN_LTM_SUPPORT,ou=Global,ou=Groups,dc=cguser,dc=company,dc=com

 

I'd welcome any suggestions for debugging this. I'm a newb when it comes to AD/LDAP. Thank you. -Jim

 

remote users { default role guest } remoterole { role info ADMIN_LTM_SUPPORT { attribute "memberOF=cn=grp-ADMIN_LTM_SUPPORT,ou=Global,ou=Groups,dc=cguser,dc=company,dc=com" console "enable" line order 1000 role "administrator" user partition "all" } }

 

auth ldap system-auth { service ldaps ssl enable search base dn "dc=capgroup,dc=com" bind dn "cn=grp-ADMIN_LTM_SUPPORT,ou=Global,ou=Groups,dc=cguser,dc=company,dc=com" login attr "uid" servers "ldap" }

 

management

1 Reply

Sort By
  • David_Larsen's avatar
    David_Larsen
    Icon for Employee rankEmployee
    Mar 27, 2014

    You need to validate that your F5 can resolve "ldap" to an IP address. In my configuration, which are similar, occasionally the F5 can't resolve a DNS name for the servers value. I have taken to uses an IP address that is actually a VIP on one of my load balancers. This makes it more specific what it is connecting to.