Forum Discussion

Jason_46956's avatar
Jason_46956
Icon for Nimbostratus rankNimbostratus
Feb 17, 2011

LDAP Password Expiry and CHanges through APM

All,

 

 

We are migrating a whole suite of applications from Aventail appliances to some new F5 appliances. To replace the Aventail authentication functionality we are using the APM module to present users with Login pages.

 

 

Running into a couple of issues that hoping someone might be able to help out with.

 

 

1 - When using APM all the URL's get re-written to include a prefix like /f5-w-687474703a2f2f6c6173756e3133382e646e722e716c642e676f762e61753a39303830$$

 

Is there any way to change this to something more user friendly? It does not look like it, but might as well ask.

 

 

2 - We are using Sun Directory Server 6.3 (I think that is the right version). When a users password has expired APM simply denies their access. The Policy Editor seems to include field elements for setting a new password, but they never appear to be used. I suspect they would work with Active Directory - but can they be made to work with the Sun directory as well?

 

 

Thanks for any help.

 

Jason

 

APM
app sec
security

8 Replies

Sort By
  • Jason_46956's avatar
    Jason_46956
    Icon for Nimbostratus rankNimbostratus
    Feb 23, 2011
    All,

     

     

    Guess I am asking questions that are either too easy or too hard to answer?

     

     

    Is there anywhere else we can try and get answers to these sorts of questions? Previous enquiries to Support have come back 'these are not support type questions'.

     

     

    The documentation does not appear to be explicit enough on these case either - or if it is I can't find it.

     

     

    Jason

     

  • Blake_79204's avatar
    Blake_79204
    Icon for Nimbostratus rankNimbostratus
    Apr 02, 2012
    Would love to know if you were able to come up with anything for this - we're converting to F5 and are using Tivoli Directory Server to manage some LDAP, and when a users password has expired (or is brand new and needs to have a pw change forced, for example) I'd like to have F5 handle this, but I'm seeing the same issues you described here over a year ago.

     

     

    Did you have any luck?
  • DenisG_22372's avatar
    DenisG_22372
    Historic F5 Account
    Apr 18, 2012
    I also would like to use LDAP for user authentication and password management, but at this time I have not been able to get it to work for password management either. I am currently using Active Directory, but I cant get that to work to use anything but 389 to a single server. I would like to have that use 636 to a Virtual server that has many servers that I specify, but that is not working either. I have a case open for that issue. I will do some additional testing on APM and LDAP to see if I can catch the password expired lines.

     

     

    More to come hopefully.

     

     

    Denis
  • umiotoko_95283's avatar
    umiotoko_95283
    Icon for Nimbostratus rankNimbostratus
    Jan 31, 2014

    There is a F5 article on how to do this, but I had trouble finding it the first time (and now). Here's an external link on how to do it. http://f5admin.blogspot.com/2012/11/load-balancing-microsoft-active.html

     

    Create a local VIP for your favorite LDAP port, put a pool behind it, put your LDAP servers in the pool. You'll need an LDAP monitor, this is the only tricky part. Using an LDAP debug tool (ldp.exe, or newer) you will have to create a LDAP search string to put in the monitor.

     

    You will need credentials in the LDAP monitor, this calls for a dedicated service account where the credentials don't expire.

     

    Some hints - we've had intermittent issues when we bind the LDAP VIP to a local network IP (say on the management or LAN segment. Suggest creating a loopback (private) segment by putting a network cable on two physical ports, then binding a non-routable segment to this loopback. Then put your VIP on this segment, now it can only be used by the F5.

     

    Limit the LDAP search scope as tight as possible. If your LDAP search scope is from the top down of AD, you could have slow authentication performance while it trolls through sub-OU's looking for your user accounts. Limit the scope of the returned search data, you can minimize your return from 10kbytes to 2 or 3.

     

    • JoshBecigneul's avatar
      JoshBecigneul
      Icon for MVP rankMVP
      Feb 06, 2014
      I do not believe you need to attach a cable to create a non-routable network segment. I would imagine the only time you may need to use a cable is in an active-active scenario, where either unit may need access to the virtual services in that range. If you are only running active-standby, then I believe you could forgo assigning an interface to the VLAN entirely.
  • Marco_Castro_11's avatar
    Marco_Castro_11
    Icon for Nimbostratus rankNimbostratus
    Feb 03, 2014

    Hi Umiotoko,

     

    I'm trying to manage to solve the problem of LDAP users with password expired...

     

  • Ferg_104721's avatar
    Ferg_104721
    Icon for Nimbostratus rankNimbostratus
    Feb 03, 2014

    Hi

     

    I have asked this question from F5 support and Consultants and the basic response has been, LDAP expire and reset is a no go. There is a way to make it work but its a pain to implement and they dont support it. If you have any other way to use non LDAP auth then take it. I toyed with checked the LDAP varible tfor expireaty rto notify the user there password will exopire a week previously but wasnt worth the effort.

     

    The APM portal access encryption is a hashed string that doesnt change, I have previously asked F5 and there is no way to amend it. Also becareful becuase certain application that dont see the correct URI will break once you use portal access.