Forum Discussion

domokos_23867's avatar
domokos_23867
Icon for Nimbostratus rankNimbostratus
May 29, 2018

AD - LDAP querry and refferals - APM

Hello,

 

I cannot find a similar setup being discussed so I am trying my luck. We have an F5 with APM module. It uses and AD server for LDAP queries. The users connect to the logon page shown by the APM and provide their credentials. We have 2 sets of users. Some users are configured on the AD server. When the F5 APM runs an LDAP query for them it gets back a Success message and the policy continues to be processed (it is a SSL VPN). But we have some users that are not configured in this AD server but on an external one. The AD server we querry has a trust relationship (one way) with the external AD server, so our idea was to query our own AD server hoping it will talk to the external one and get a successful LDAP query. But instead I see that our internal AD server returns a referral and that is seen by the F5 as an error and stops. I am getting this type of messages in the access policy event log: 'session.ldap.last.errmsgext' set to '0000202B: RefErr: DSID-0310082F, data 0, 1 access points'

 

Has anyone had any experience with a similar setup and what could be done?

 

Regards Carol

 

1 Reply

  • Hi Carol.

    I think that your problem is about system problem.

    can you try an ldap querry without apm in order to check if you relationship is correct and if what's you want to do is possible (ldap query in AD1 that will fw to AD2...).

    https://support.f5.com/csp/article/K15811

    • Use the following ldapsearch command to send LDAP queries to the server.

    ldapsearch [options] [filter [attributes...]]

    • For example, the following command queries the LDAP server 172.24.171.1 for a BIG-IP administrative user account named bigipwasa:

    ldapsearch -x -h 172.24.171.1 -D "cn=admin,dc=askf5,dc=pslab,dc=local" -w askf5 -b 'uid=bigipwasa,ou=Users,dc=askf5,dc=pslab,dc=local' '(objectclass=*)'

    You have another possibility, is to modify your policy:

    • logon page
    • ldap query on AD1
    • if AD1 result is successfull FW user to AD1 for authentication.
    • if LDAP Query on AD1 Fail FW user to AD2 for authentication...

    Regards