Forum Discussion

AlgebraicMirror's avatar
AlgebraicMirror
Icon for Altostratus rankAltostratus
Dec 08, 2015

How do you get Big-IQ to work with Active Directory for authentication?

Does anyone know of a link to F5 documentation about how to get Big-IQ to work with Active Directory to authenticate users? I've worked with the LDAP auth setup on Big-IQ, and was able to get as far as getting a user account to automatically add to the box if it's present in AD. But what I really want to do is get it to behave like an LTM doing AD remote auth, specifically with these two features: 1. No access for users not in a specific AD group. 2. For those in a group, assign them admin rights automatically.

 

This seems much more difficult than the LTM because in Big-IQ you have to treat AD like a raw LDAP server, and I'm not an LDAP expert. But I imagine almost every using Big-IQ must have faced this, so I'm sure there's documentation about how to work with AD out there, I'm just having trouble finding it.

 

8 Replies

  • First you must setup your LDAP authentication under BIG-IQ System. Docs for that are here: https://support.f5.com/kb/en-us/products/big-iq-centralized-mgmt/manuals/product/bigiq-central-mgmt-initial-setup-4-6-0/4.htmlunique_78898411

     

    After your LDAP auth provider is setup, you can assign users and groups to roles here: https://support.f5.com/kb/en-us/products/big-iq-centralized-mgmt/manuals/product/bigiq-central-mgmt-device-4-6-0/9.htmlunique_1118044730

     

    Hint, if the group search button does not populate a list of groups, you need to go back and edit your LDAP auth provider settings in step 1 above.

     

  • Hi Kyle. I've tried that, but I seem unable to get the correct settings for LDAP (my remote group list does not populate). Are there any examples of successful AD configurations that you know of? I'm guessing I have some of the fields wrong, like some of the search filters or attribute fields, and I'm sure they're probably the same for any AD implementation since they generally have the same structure and attributes, so I'm wondering if you have any examples of what goes into them?

     

  • Thanks guys. I appreciate the input, because this is pretty much what I had. I keep getting an "Unable to connect to LDAP provider" error on the login page, but when I use the ldapsearch command per sol11072 and sol15811 things work just fine. So since those commands work and I pretty much match what you guys have, I'm thinking this might be a bug in 4.6? I'm opening a support case with F5 and will report back if that turns out to be the case.

    Symptoms are:

    1. On the logon page on the GUI, receiving an "Unable to connect to LDAP provider", despite the ldapsearch command connecting fine.

    2. I see the following in the restjavad.0.log:

      [root@bigiq.example.com:Active] log  tail -f restjavad.0.log
      [WARNING][8909][09 Dec 2015 16:22:46 UTC][8100/cm/system/authn/providers/ldap/47e4354d-73e8-43aa-b9ab-7d75f5e7b11a/login LdapProviderLoginWorker][completed] Unable to connect to LDAP provider 10.0.0.1
      [I][8910][09 Dec 2015 16:22:46 UTC][8100/shared/authn/login AuthnWorker][failed] User test_account failed to login using the https://localhost/mgmt/cm/system/authn/providers/ldap/47e4354d-73e8-43aa-b9ab-7d75f5e7b11a/login authentication provider
      

    Any ideas?

  • Had the same issue this morning and figured it out.

     

    When using the ldap search the syntax didn't match the boxes listed in the default settings.

     

    To resolve it I changed the bind user to just be the username .... no CN= in front of it so it uses the username exactly like the ldapsearch command line.

     

    Then I changed the search filter to (sAMAccountName={username}) .... after that it worked :)

     

    Let me know if that helps.

     

  • In case of using ldaps. I can configure the SSL checkbox but where do I have to import the corresponding SSL certificate to communicate via ldaps?

     

  • Ok I had this exact issue today and have got this working with Active Directory groups on the BIG-IQ, my configuration is as follows:

     

    Bind User: Required

     

    Bind Password: Required

     

    Root DN: DC=contoso,DC=com

     

    Authentication Method: Simple

     

    Search Scope: Subtree

     

    Search Filter: (sAMAccountName={username})

     

    User Display Name Attribute: displayName

     

    Group Display Name Attribute: cn

     

    Group Search Filter: (&(ObjectCategory=Group)(cn=F5*))

     

    Group Membership Filter: (|(member={userDN})(uniqueMember={userDN}))

     

    Note my groups contain F5 in the name which is referenced in the group search filter

     

    Now go and create a user group selecting LDAP as the authentication method, in the remote group filter leave blank and select search this should populatea drop down box with all AD groups that match the criteria above, select the appropriate group and map a role and you should be able to login as long as the account is a member of the group.

     

    Hopefully this helps someone

     

    • Mohammed_M_Irfa's avatar
      Mohammed_M_Irfa
      Icon for Nimbostratus rankNimbostratus

      Hi Raheem,

      Can you please explain with examples: we are using BIG-IQ 6.1.0v

      Bind User: Required   <<<< for this
      
      Bind Password: Required   <<<< for this
      
      Root DN: DC=contoso,DC=com
      
      Authentication Method: Simple
      
      Search Scope: Subtree
      
      Search Filter: (sAMAccountName={username})
      
      User Display Name Attribute: displayName
      
      Group Display Name Attribute: cn
      
      Group Search Filter: (&(ObjectCategory=Group)(cn=F5*))
      
      Group Membership Filter: (|(member={userDN})(uniqueMember={userDN}))