Applies To:
Show VersionsBIG-IP APM
- 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2
About LDAP queries
When running the LDAP Query access policy item, Access Policy Manager (APM) queries an external LDAP server for additional information about the user.
The LDAP Query item does not authenticate user credentials. To authenticate users, use another or an additional authentication item in the access policy.
About nested groups in Active Directory and LDAP queries
A nested group is a group that is a member of another group. For example, group1 is a member of group3 and group4. A user, user1, that belongs to group1 and group2 also belongs to group3 and group4 through nesting.
Whether AD Query and LDAP Query return nested groups in session variables
The AD Query and LDAP Query access policy items return and store the groups to which a user belongs in the memberOf session variable.
The contents of the memberOf session variable differ depending on whether the Fetch Nested Group setting is enabled or disabled in AD Query or LDAP Query properties:
- Enabled - The memberOf session variable contains all groups to which the user belongs. As in the example, this includes group1, group2, group3, and group4.
- Disabled - The memberOf session variable contains groups to which the user belongs directly. Based on the example, this would be group1 and group2.
About how APM handles binary values in LDAP attributes
For LDAP, Access Policy Manager (APM) converts an attribute value to hex only if the value contains unprintable characters. If the session variable contains several values, and one or more of those values is unprintable, then APM converts only those particular values to hex.
Case 1:
Handling of attributes with single value: 9302eb80.session.ldap.last.attr.objectGUID 34 / 0xfef232d3039be9409a72bfc60bf2a6d0Case 2:
Handling of attributes with multiple values (mix of binary and non-binary values):29302eb80.session.ldap.last.attr.memberOf 251 | / CN=printable group,OU=groups,OU=someco,DC=smith, / DC=labt,DC=fp,DC=somelabnet,DC=com | / 0x434e3d756e7072696e7461626c6520c2bdc2a12067726f75702c4f553d67726f7570732c4f553d66352c / 44433d73686572776f6f642c44433d6c6162742c44433d66702c44433d66356e65742c44433d636f6d |Adding an LDAP query to an access policy
Example of LDAP auth and query default rules
In this example, after successful authentication, the system retrieves a user group using an LDAP query. Resources are assigned to users and users are directed to a webtop if the user group has access to the network access resources.
In this figure, the default branch rule for LDAP query was changed to check for a specific user group attribute.
Session variables in LDAP query properties
You can use session variables to configure properties for the LDAP query access policy item. The properties are listed in the table.
Property | Example value | Description |
---|---|---|
SearchFilter | (sAMAccountName=%{session.logon.last.username}) | Populates the SearchFilter parameter with the username from the current session. |
UserDN | cn=%{session.logon.last.username}, cn=users, dc=sales, dc=com. | A typical UserDN for query in an LDAP structure. |
SearchDN | session.ssl.cert.last.cn | Uses the user CN from the SSL certificate. Useful as a value for any property in this table. |
LDAP query session variables
When the LDAP Query access policy item runs, it populates session variables which are then available for use in access policy rules. The tables list the session variables for the LDAP query access policy item and for a logon access policy item.
Session variables for LDAP query
Session Variable | Description |
---|---|
session.ldap.last.queryresult | Provides the result of the LDAP query. The available values are:
|
session.ldap.last.attr.$attr_name | $attr_name is a value that represents the user's attributes received during LDAP/query. Each attribute is converted to separate session variables. |
session.ldap.last.errmsg | Useful for troubleshooting, and contains the last error message generated for LDAP, for example aad2a221.ldap.last.errmsg. |
Common session variables
Session Variable | Description |
---|---|
session.logon.last.username | Provides user credentials. The username string is stored after encrypting, using the system's client key. |
session.logon.last.password | Provides user credentials. The password string is stored after encrypting, using the system's client key. |
LDAP authentication and query troubleshooting tips
You might run into problems with LDAP authentication and query in some instances. Follow these tips to try to resolve any issues you might encounter.
LDAP auth and query troubleshooting
Possible error messages | Possible explanations and corrective actions |
---|---|
LDAP auth failed |
|
LDAP query failed |
|
Additional troubleshooting tips for LDAP authentication
You should | Steps to take |
---|---|
Check that your access policy is attempting to perform authentication |
Note: Make sure that your log level is set to the appropriate level. The default
log level is notice
|
Confirm network connectivity |
|
Check the LDAP server configuration |
Note: A good test is to use full administrative credentials with all rights. If
that works, you can use less powerful credentials for verification.
|
Capture a TCP dump |
Important: If you decide to escalate the issue to customer support, you must
provide a capture of the TCP dump when you encounter authentication issues that you cannot
otherwise resolve on your own.
|