binding issues - ldap monitor
I have set up an ldap monitor for a pool using TCP 636. No matter what I do, it doesn't work. I set up the user name: cn=username,ou=xxx,dc=yyy set the password set the Base: ou=xxx,dc=yyy set a filter: filtername=username I have tried setting it with all ports and with port 636 and even the standard ldap port (389). Also tried without the base, and also with no base and no filter. No matter what I try, the debug log keeps showing : Bind failed with username(-1): Can't contact LDAP server What am I missing? This isn't an active directory ldap - so maybe this is the issue? Any ideas would be very much appreciated. Thanks, Vered46Views0likes1CommentTrying to LDAP query an AD LDS field
I currently have an access policy where i need to LDAP query a custom field on a AD LDS server. I get the following error when I try: LDAP Module: Failed to bind with 'CN=testuser,OU=Service Accounts,OU=Groups,OU=Acounts,DC=domain,DC=com'. Internal (implementation specific) error. I first authenticate users with AD auth to a different set of AD servers. The AD LDS server only has user info and a few custom fields. I want to run an ldapsearch from the F5 but i don't really know the syntax. I do have the following info: - user account is testuser - user account password is testpassword - AD LDS Instance = DC=F5userAttribute,DC=domain,DC=com - AD LDS server IP is 10.18.24.210 - the field i need to pull data from is "customSecretKey" Just wondering what the syntax will be ldapsearch command.613Views0likes2CommentsBIG-IQ - Replacing bigip.conf file from old UCS
When I originally set up an initial BIG-IQ on some 7000 hardware chassis, it took me a long time to finally get the LDAP settings correct. We've since removed those chassis and I'm working in a VE for BIG-IQ. I'm following the steps here to extract specific files from a UCS. I'd like to restore the User Management > Auth Providers entirely, but cp /var/tmp/old/config/bigip/auth/* /config/bigip/auth/ doesn't appear to be working. Is there a better way to do this? Restoring from UCS but editing the management IP address? I'm open to ideas.426Views0likes2CommentsWhen using APM with an LDAP AAA server, are results cached?
I'm making extensive use of this sort of test: [mcget {session.ldap.last.attr.memberOf}] contains "My_Groupname" I was previously using Active Directory authentication and queries rather than LDAP, but changing to LDAP has cut down the login wait from up to 15 seconds down to several seconds. I'm almost certain that the APM is caching the membership results, however, because I make changes on the domain controller and the changes are not reflected on the BigIP - it seems to be using stale results. Any suggestions on the expected behavior, and how to change it? I know I can mix and and match AD and LDAP authentication and queries if necessary, and AD was also caching but didn't seem to be as long when I set it to 0 days, and I could manually clear that cache for testing purposes.329Views0likes1CommentLDAP monitor behaviour
Hi Just wanted to check that my understanding of how an LDAP monitor behaves. Forgive the long background 😉 We had an incident where users couldn't authenticate because an AD Query in our access policy was failing. AD agent: Query: query with '(|(sAMAccountName=bloggsjoe))' failed Our current monitor still had the domain controller as up, so all users attempting to authenticate from that point failed. We forced the domain controller offline so it would send to the next in the pool (priority group), and users were able to authenticate. I am looking to configure an LDAP monitor to attach to the pool of controllers used to authenticate users. It is configured to do an ldap search looking for a particular account. I have mandatory attributes set to true, so if the search fails it should mark the member down. ltm monitor ldap /Common/ldap_dc_monitor { base "OU=Service Accounts,DC=prod,DC=local" chase-referrals yes debug no defaults-from /Common/ldap description "LDAP monitor for domain controllers used for auth" destination *:389 filter sAMAccountName=f5_apm interval 10 mandatory-attributes yes password *********** security tls time-until-up 0 timeout 31 username f5_apm@prod.local } I'm hoping this monitor will mimic the AD query, so if we have an occurrence where the primary domain controller has an issue with the search, it will be marked down and the next in the priority group will take over. If I change the filter to something I know will fail I can see the pool members get marked down. However what I wasn't expecting was it takes the full timeout before it gets marked down. I turned on debug and tailed the monitors log file for the primary controller. I could see the response from the controller come back straight away, but it still waits the full timeout before bringing the member down no attributes were received for filter 'SAMAccountName=blah' Is that expected behaviour? I was expecting the member to be marked down as soon as the above response was received Cheers, Simon333Views0likes1CommentLDAP monitor with error : fork() failed: Cannot allocate memory
Hi Experts , We have LDAP VIP/pool which has custom LDAP health check monitor associated with it . But the health check monitor has marked the pool member as down with the error :fork() failed: Cannot allocate memory. If we change the monitor with default tcp , the pool will be up .and also we have F5 in cluster .So this issue is there only on the Active F5 , On standby f5 the pool is up with same LDAP custom montor . Dec 6 17:33:11 f5-lan-primary notice mcpd[6358]: 01070638:5: Pool /Common/pool_ldap_prd member /Common/192.168.1.11:636 monitor status down. [ /Common/m_ldap_prd: down; last error: /Common/m_ldaps_prd: fork() failed: Cannot allocate memory @2022/12/06 13:49:09. ] [ was up for 0hr:1min:1sec ] Dec 6 17:33:11 f5-lan-primary notice mcpd[6358]: 01070638:5: Pool /Common/pool_ldap_prd member /Common/192.168.1.12:636 monitor status down. [ /Common/m_ldap_prd: down; last error: /Common/m_ldaps_prd: fork() failed: Cannot allocate memory @2022/12/06 15:57:29. ] [ was up for 0hr:1min:1sec ] Can you please check and advice , if you are familiar with this error message ? Please note there is no issue with the memory on the F5 .Looks normal .875Views0likes4CommentsWhy do we use username and password in Healthcheck Monitor ?
Hi Team , We have an LDAP VIP , and we could see the heathcheck monitor which is applied to the pool has username password enabled and used . Why do we need to authenticate first before checking the services on the server ? When do we really need to enable username/pasword option in monitoring ?1.6KViews1like2CommentsiRules LX for APM password reset
We are attempting to use APM as a Self-Service Password Reset resolution. I can modify Active Directory attributes than to this article https://devcentral.f5.com/s/articles/apm-cookbook-modify-ldap-attribute-values-using-iruleslx-21850 , however, has anyone used iRules LX to reset a password. I'll validate the user first with other methods but want to reset a forgotten password rather than the APM built-in Kerberos API reset with the current password to update to a new one. Thanks506Views1like1CommentHelp troubleshooting AD Auth on F5 LB
Hi All. We're trying to configure AD auth and running into major issues. The strange thing is that telnet succeeds, I've reset and confirmed the bind user's password, and have reset and confirmed the test AD user password. Any help will be much appreciated! successful connection on 389 and 3269 - [admin@lb1:Standby:Changes Pending] log # telnet <AD IP> 3269 Trying <AD IP>... Connected to <AD IP>. Escape character is '^]'. [admin@lb1:Standby:Changes Pending] log # telnet <AD IP> 389 Trying <AD IP>... Connected to <AD IP>. Escape character is '^]'. In /var/log/secure, I see - Apr 21 19:43:37 lb1 warning httpd[8867]: [warn] [client <IP>] AUTHCACHE Error processing cookie DE71A3EB7E09C285EE804A880D473DA378684CCB - Cookie user mismatch, referer: https://<F5 IP>/tmui/login.jsp?msgcode=1& Apr 21 19:43:37 lb1 warning httpd[8867]: [warn] [client <IP>] AUTHCACHE Error processing cookie F69E5702BC54A5517DD6CF34EFB66C09E2939501 - Cookie user mismatch, referer: https://<F5 IP>/tmui/login.jsp?msgcode=1& Apr 21 19:43:37 lb1 warning httpd[8867]: [warn] [client <IP>] AUTHCACHE Error processing cookie ED2B8DAF7E221E2572F7094214AAB91947FE048D - Cookie user mismatch, referer: https://<F5 IP>/tmui/login.jsp?msgcode=1& Apr 21 19:43:37 lb1 err httpd[8867]: pam_ldap: ldap_simple_bind Can't contact LDAP server Apr 21 19:43:37 lb1 err httpd[8867]: pam_ldap: reconnecting to LDAP server... Apr 21 19:43:37 lb1 err httpd[8867]: pam_ldap: ldap_simple_bind Can't contact LDAP server Apr 21 19:43:37 lb1 warning httpd[8867]: pam_unix(httpd:auth): check pass; user unknown Apr 21 19:43:37 lb1 notice httpd[8867]: pam_unix(httpd:auth): authentication failure; logname= uid=48 euid=48 tty= ruser= rhost=<IP> Apr 21 19:43:38 lb1 err httpd[8867]: [error] [client <IP>] AUTHCACHE PAM: user 'devf5test' (fallback: false) - not authenticated: Authentication failure, referer: https://<F5 IP>/tmui/login.jsp?msgcode=1& Apr 21 19:43:38 lb1 info httpd(pam_audit)[8867]: User=devf5test tty=(unknown) host=<IP> failed to login after 1 attempts (start="Wed Apr 21 19:43:37 2021" end="Wed Apr 21 19:43:38 2021"). Apr 21 19:43:38 lb1 info httpd(pam_audit)[8867]: 01070417:6: AUDIT - user devf5test - RAW: httpd(pam_audit): User=devf5test tty=(unknown) host=<IP> failed to login after 1 attempts (start="Wed Apr 21 19:43:37 2021" end="Wed Apr 21 19:43:38 2021").875Views0likes1Comment