opers13_3280
Oct 17, 2009Nimbostratus
LDAP configuration
I'm in the process of configuring LDAP on the F5.
Do I have to create an account in AD for the F5 so it can search LDAP??
thanks
Do I have to create an account in AD for the F5 so it can search LDAP??
thanks
For admin auth, I've tested this config successfully on 9.4.8:
Auth method: Remote Active Directory Auth
Host: 1.1.1.1
Port: 389
Remote Dir Tree: OU=Admin User Accounts, OU=UserAccounts, DC=my_subdomain, DC=my_domain, DC=my_tld
Scope: sub
Bind account: readonly_account@my_subdomain.my_domain.my_tld (not sure this is required if you can use the "User Template" configuration for authentication)
User Template: %s@my_subomdian.my_domain.my_tld
SSL: Disabled
Aaron
I'm trying to configure LDAP for client authentication against AD.
Do I need to configure a service account in AD for the F5?
BIG-IP 9.4.6 Build 401.0 Final
Thanks
Mar 6 13:12:56 F5device httpd[25036]: pam_ldap: error trying to bind (Invalid credentials)
Mar 6 13:12:56 F5device httpd(pam_unix)[25036]: authentication failure; logname= uid=48 euid=48 tty= ruser= rhost=10.20.66.59 user=XXXX
Mar 6 13:12:59 F5device httpd[25036]: [error] [client 10.20.66.59] AUTHCACHE PAM: user 'XXXX' - not authenticated: Authentication failure, referer: https://F5device.com/
I am using below version
:Active] config b version
Kernel:
Linux 2.4.21-9.3.1.37.0smp
Package:
BIG-IP Version 9.3.1 66.0
Hotfix HF5 Edition
My ldap config looks like below (/etc/ldap.conf)
host 161.228.215.112
base OU=Service,OU=PBUsers,DC=subdomain1,DC=domain,DC=global,DC=pvt
ldap_version 3
binddn binduser@subdomain1.domain.global.pvt
bindpw passowrd
port 389
scope sub
timelimit 30
bind_timelimit 30
idle_timelimit 3600
pam_login_attribute uid
pam_check_host_attr no
usertemplate uid=%s,OU=PBUsers,DC=usdby1-pbiadp01,DC=pbi,DC=global,DC=pvt
Opers13, Yes. You do need an ID that has privileges to query your AD structure and verify users.
Here is a sample of the sections in our bigip.conf file that show remote roles for specific groups for admin and operators. Our generic login lets anyone come in as a guest. This allows us to specify remote groups with enhanced privileges.
remoterole {
role info {
ltm_admins {
attribute "memberOf=CN=ltm_admins,CN=Groups,DC=ad,DC=redmond,DC=microsoft"
line order 1000
role "administrator"
user partition "all"
}
ltm_operators {
attribute "memberOf=CN=ltm_operators,CN=Groups,DC=ad,DC=redmod,DC=microsoft"
line order 1010
role "operator"
user partition "all"
}
}
}
auth ldap system-auth {
search base dn "dc=ad,dc=redmond,dc=microsoft"
bind dn "cn=adsearch,cn=users,dc=ad,dc=redmond,dc=microsoft"
bind pw "ourawesomesecretpassword"
login attr "uid"
user template "%s@ad.redmond.microsoft"
servers "192.168.1.2"
}
I'm not a Microsoft employee and the above information are just for examples.
Jason