Forum Discussion

Sadorect_151355's avatar
Sadorect_151355
Icon for Nimbostratus rankNimbostratus
Aug 28, 2015

INTEGRATING LDAP AUTHENTICATION ON APM

Hi,

 

I am implementing Network access and SSL VPN on APM and want to use LDAP authentication. I am having trouble determining the missing link in the sAMAccountName using this string

 

sAMAccountName=%{session.logon.last.username}.

 

I have earlier implemented this in a vlab setup with successful login, however, in a live environment, I got a login error when tried to login. I substituted the sAMAccountName with uid=%{session.logon.last.username} (as in my vlab setup also) and tried to logon with a valid domain account (which failed), whereas, the same procedure worked perfectly in the vlab setup. Please, what am I getting wrong, the sAMAaccountName or some other settings?

 

Thank you.

 

APM
deployment
security
TMOS

2 Replies

Sort By
  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    Aug 28, 2015

    Hi,

    Can you try the following command from F5 command line to show if LDAP information is correct?:

    ldapsearch -xLLL -H 'ldap://LDAP_Server_IP' -b "LDAP_Search_root" -s sub -D "Admin_DN" -w 'Admin_PW' "(sAMAccountName=User_ID)"

    Replace LDAP_Server_IP, LDAP_Search_root, Admin_DN, Admin_PW and User_ID right informations

    Admin_DN can be either the UserprincipalName, either the full DN

    If authentication succeed and User attributes were retrieved, execute the same command to try to authenticate the user (replace Admin_DN and Admin_PW by User DN and User PW).

    If the first authentication failed, you may use wrong LDAP bindings.

  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    Aug 31, 2015

    Hi,

     

    The LDAP_Search_root is the LDAP Base DN (dc=company, dc=local)

     

    the goal is to check:

     

    • There is no connectivity issue (route, firewall)
    • Admin credentials are OK
    • Base DN is OK
    • (sAMAccountName=User_ID) condition is the same as sAMAccountName=%{session.logon.last.username} in VPE.

    If it is not OK, it will help you how to solve the issue.