Forum Discussion

cdjac0bsen's avatar
cdjac0bsen
Icon for Nimbostratus rankNimbostratus
Sep 12, 2019

Big-IQ LDAP User Bind Template

We can't get the Big-IQ to authenticate like our Big-IPs and need help.

Our Big-IPs use the user bind template of %s@exx.wxx.bxx.corp and we log in using our user id, not our full name.

On the Big-IQ, if I use my full name in the Bind User DN like, CN=John Doe,OU=xxx,DC=xxx,DC=xxx,DC=xxx,DC=corp and my password, LDAP authentication works. If I try to use my user ID like, CN=jdoe,OU=xxx,DC=xxx,DC=xxx,DC=xxx,DC=corp, it doesn't work.

If I try to use the User Bind Template in Big-IQ instead, like CN={username},OU=xxx,DC=xxx,DC=xxx,DC=xxx,DC=corp, it fails. I assume that because I log in with my user ID, not my name, that is what is being passed as my user DN. The search filter is set to (&(sAMAccountName={username})).

I don't understand why a template works on the Big-IP, but not Big-IQ. How does the user ID get translated to the full name so bind authentication works on the Big-IP? Is there a template syntax that will make that substitution?

2 Replies

  • ​After digging some more, I found the info below.  I confirmed with our AD team that the user ID is the separate sAMAccountName and can't be used with DN format so the only way we can use our username is with a UPN formatted template.  According to the info below, support for UPN is supposed to be in 6.0 but we installed 6.1 and the UPN format is not supported in the GUI so I don't know what the deal is.  I have that question into F5 and awaiting a response.

     

    680899 : Support for UPN binding in Active Directory authentication providers

    Component: REST Framework and TMOS Platform

    Symptoms:

    BIG-IQ 5.4 and earlier does not allow binding to Active Directory using the UPN (e.g., username@example.com), but only using the DN (cn=username,dc=example,dc=com).

    Conditions:

    Authentication.

    Impact:

    This is unwieldy and rather uncommon in an environment using an Active Directory domain controller. Moreover, we mandated using a dedicated bind account for both LDAP and AD authentication providers, which is not allowed in certain organizations.

    Workaround:

    Use a DN to bind to Active Directory

    Fix:

    BIG-IQ version 6.0.0 now includes support for binding to external Active Directory auth providers using a User Bind Template either in the User Principal Name (UPN) format, e.g., {username}@domainname.example.com, or in the Down-Level Logon Name format, e.g., domainname\{username}.

    We also no longer require specifying a bind user to authenticate a user against an external LDAP or Active Directory authentication provider.

  • I had the same problem and my coworker figured it out. If you want to use sAMAccountName to login to BIG-IQ, specify the bind user as just the sAMAccountName.