Forum Discussion

Ossar_178453's avatar
Ossar_178453
Icon for Altostratus rankAltostratus
Feb 12, 2015

AD/LDAP authentication/authorization w/ "Remote Role Groups"

Hello,

I have been experimenting with AD/LDAP auth and have got it working to some extent. However, I am not successful in making the Remote Role Groups work.

It is just lite they are not considered at all. The only way of specifying access is through the "External users" settings on System->Users->Authentication page. If I set the default role to Guest, all users are logged in as guest etc. I need to separate guests from administrators and I understand that should be done with "Remote Role Groups".

If I set the "External users" to "No access" I cannot log in at all, despite the "Remote Role Group" setting.

My configuration:

 tmsh show running-config /auth ldap system-auth
auth ldap system-auth {
    bind-pw $M$2E$/KZpHL0Oe8xucW3Pgj6D1Q==
    check-roles-group enabled
    login-attribute samaccountname
    search-base-dn OU=Users,OU=Country,OU=Company,DC=top,DC=domain
    servers { 10.10.10.10 }
    user-template %s@top.domain
}

 tmsh show running-config /auth remote-role
auth remote-role {
    role-info {
        john.doe {
            attribute memberOF=CN=john.doe,OU=Users,OU=Country,OU=Company,DC=top,DC=domain
            line-order 1
            role administrator
            user-partition All
        }
    }
}
APM
application delivery
LTM
security

5 Replies

Sort By
  • StacyAnn_257051's avatar
    StacyAnn_257051
    Icon for Altostratus rankAltostratus
    Apr 01, 2016

    the trick is to add a group with the same exact name of your active directory group under Remote Role Groups, when adding the attribute string be sure to use memberOf= so it will search that group for users to authenticate. Under the authentication tab in remote directory tree add the base DN for your AD and be sure to set Role to no access under external users. This will allow access to only the users who are in the group you specified. this link also provides some good information. https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/tmos-implementations-11-1-0/16.html

     

    • Abdessamad_851's avatar
      Abdessamad_851
      Icon for Nimbostratus rankNimbostratus
      Jun 06, 2016
      Hello, Do you know how to get it working when nested groups are used? I maanaged to make it work when the user is directly attached to a group, but it desn't work when we should check a sub group (nested). Thanks.
  • Ossar_178453's avatar
    Ossar_178453
    Icon for Altostratus rankAltostratus
    Feb 12, 2015

    I managed to solve it by understanding better how LDAP works and some ldapsearch magic.

     

    The trick was to have a proper memberOF parameter, i.e. John Doe was not memberOF himself which made it not work.

     

    • Brad_Parker's avatar
      Brad_Parker
      Icon for Cirrus rankCirrus
      Feb 12, 2015
      You can mark your answer as answered so other community members can see that it is indeed answered.
  • JustCooLpOOLe's avatar
    JustCooLpOOLe
    Icon for Cirrocumulus rankCirrocumulus
    Oct 13, 2015

    Could you elaborate a bit on your fix? When a user is logging in, they are given the role that is applied to External Users as opposed to the role given for the Role Group.

     

Related Content