Forum Discussion
pcastagnaro_709
May 17, 2013Nimbostratus
Posted By nitass on 05/04/2013 02:20 AM
can you try "login-attribute" setting in conector_con_AD?
this is my testing. tasmania is web user.
root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) show sys version|grep -A 5 Main\ Package Main Package Product BIG-IP Version 11.3.0 Build 3022.0 Edition Hotfix HF3 Date Fri Feb 22 00:00:34 PST 2013 root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm virtual bar ltm virtual bar { auth { Perfil_AD } destination 172.28.20.16:80 ip-protocol tcp mask 255.255.255.255 pool foo profiles { http { } tcp { } } source 0.0.0.0/0 source-address-translation { type automap } vlans-disabled } root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm auth profile Perfil_AD ltm auth profile Perfil_AD { app-service none configuration conector_con_AD credential-source http-basic-auth defaults-from ldap rule AUTH_LDAP_URL_v1 type ldap } root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm auth ldap conector_con_AD ltm auth ldap conector_con_AD { bind-dn cn=administrator,cn=users,DC=abc,DC=com bind-pw password login-attribute sAmAccountName search-base-dn cn=users,DC=abc,DC=com servers { 172.28.20.20 } } root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm rule AUTH_LDAP_URL_v1 ltm rule AUTH_LDAP_URL_v1 { when CLIENT_ACCEPTED { set tmm_auth_ldap_sid [AUTH::start pam default_ldap] } when HTTP_REQUEST { if {[HTTP::uri] equals "/"} { AUTH::username_credential $tmm_auth_ldap_sid [HTTP::username] AUTH::password_credential $tmm_auth_ldap_sid [HTTP::password] AUTH::authenticate $tmm_auth_ldap_sid HTTP::collect } } when AUTH_RESULT { if {[AUTH::status] != 0} { HTTP::respond 401 } else { HTTP::release } } } tcpdump No. Time Delta Time Source Src port Destination Protocol Dst port Window BiF Vlan id Length Info 1 2013-05-04 16:55:05.469994 0.000000 00:00:00_00:00:00 00:00:00_00:00:00 0x05ff 156 Ethernet II 2 2013-05-04 16:55:15.106749 9.636755 172.28.20.11 45448 172.28.20.20 TCP 389 14600 4094 157 OUT s0/tmm1 : 45448 > 389 [SYN] Seq=3089723857 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=1858114978 TSecr=0 WS=128 3 2013-05-04 16:55:15.108900 0.002151 172.28.20.20 389 172.28.20.11 TCP 45448 64240 4094 161 IN s0/tmm1 : 389 > 45448 [SYN, ACK] Seq=89577447 Ack=3089723858 Win=64240 Len=0 MSS=1460 WS=1 TSval=0 TSecr=0 SACK_PERM=1 4 2013-05-04 16:55:15.110082 0.001182 172.28.20.11 45448 172.28.20.20 TCP 389 14720 4094 149 OUT s0/tmm1 : 45448 > 389 [ACK] Seq=3089723858 Ack=89577448 Win=14720 Len=0 TSval=1858114982 TSecr=0 5 2013-05-04 16:55:15.110090 0.000008 172.28.20.11 45448 172.28.20.20 LDAP 389 14720 61 4094 210 OUT s0/tmm1 : bindRequest(1) "cn=administrator,cn=users,DC=abc,DC=com" simple 6 2013-05-04 16:55:15.112710 0.002620 172.28.20.20 389 172.28.20.11 LDAP 45448 64179 22 4094 171 IN s0/tmm1 : bindResponse(1) success 7 2013-05-04 16:55:15.113013 0.000303 172.28.20.11 45448 172.28.20.20 TCP 389 14720 4094 149 OUT s0/tmm1 : 45448 > 389 [ACK] Seq=3089723919 Ack=89577470 Win=14720 Len=0 TSval=1858114985 TSecr=51647361 8 2013-05-04 16:55:15.113341 0.000328 172.28.20.11 45448 172.28.20.20 LDAP 389 14720 76 4094 225 OUT s0/tmm1 : searchRequest(2) "cn=users,DC=abc,DC=com" wholeSubtree 9 2013-05-04 16:55:15.114853 0.001512 172.28.20.20 389 172.28.20.11 LDAP 45448 64103 1412 4094 1561 IN s0/tmm1 : searchResEntry(2) "CN=tasmania,CN=Users,DC=abc,DC=com" | searchResDone(2) success [1 result] 10 2013-05-04 16:55:15.119586 0.004733 172.28.20.11 45448 172.28.20.20 LDAP 389 17536 56 4094 205 OUT s0/tmm1 : bindRequest(3) "CN=tasmania,CN=Users,DC=abc,DC=com" simple 11 2013-05-04 16:55:15.121659 0.002073 172.28.20.20 389 172.28.20.11 LDAP 45448 64047 22 4094 171 IN s0/tmm1 : bindResponse(3) success 12 2013-05-04 16:55:15.122278 0.000619 172.28.20.11 45448 172.28.20.20 LDAP 389 17536 61 4094 210 OUT s0/tmm1 : bindRequest(4) "cn=administrator,cn=users,DC=abc,DC=com" simple 13 2013-05-04 16:55:15.124744 0.002466 172.28.20.20 389 172.28.20.11 LDAP 45448 63986 22 4094 171 IN s0/tmm1 : bindResponse(4) success 14 2013-05-04 16:55:15.164996 0.040252 172.28.20.11 45448 172.28.20.20 TCP 389 17536 4094 149 OUT s0/tmm1 : 45448 > 389 [ACK] Seq=3089724112 Ack=89578926 Win=17536 Len=0 TSval=1858115037 TSecr=51647361
Dear nitass,
I set sAmAccountName in login-attribute, but I had the same result.