Applies To:
Show VersionsBIG-IP APM
- 13.1.5, 13.1.4
About LDAP queries
When running the LDAP Query access policy item, Access Policy Manager® (APM®) queries an external LDAP server for additional information about the user.
The LDAP Query item does not authenticate user credentials. To authenticate users, use another or an additional authentication item in the access policy.
About how APM handles binary values in LDAP attributes
For LDAP, Access Policy Manager® (APM®) converts an attribute value to hex only if the value contains unprintable characters. If the session variable contains several values, and one or more of those values is unprintable, then APM converts only those particular values to hex.
An attribute with a single unprintable value
9302eb80.session.ldap.last.attr.objectGUID 34 / 0xfef232d3039be9409a72bfc60bf2a6d0
Attribute with multiple values, both printable and unprintable (binary)
29302eb80.session.ldap.last.attr.memberOf 251 | / CN=printable group,OU=groups,OU=someco,DC=smith, / DC=labt,DC=fp,DC=somelabnet,DC=com | / 0x434e3d756e7072696e7461626c6520c2bdc2a12067726f75702c4f553d67726f7570732c4f553d66352c / 44433d73686572776f6f642c44433d6c6162742c44433d66702c44433d66356e65742c44433d636f6d |
Adding an LDAP query to an access policy
Verifying log settings for the access profile
Example of LDAP auth and query default rules
In this example, after successful authentication, the system retrieves a user group using an LDAP query. Resources are assigned to users and users are directed to a webtop if the user group has access to the network access resources.
In this figure, the default branch rule for LDAP query was changed to check for a specific user group attribute.
Example of an access policy for LDAP auth query
Session variables in LDAP query properties
You can use session variables to configure properties for the LDAP query access policy item. The properties are listed in the table.
Property | Example value | Description |
---|---|---|
SearchFilter | (sAMAccountName=%{session.logon.last.username}) | Populates the SearchFilter parameter with the username from the current session. |
UserDN | cn=%{session.logon.last.username}, cn=users, dc=sales, dc=com. | A typical UserDN for query in an LDAP structure. |
SearchDN | session.ssl.cert.last.cn | Uses the user CN from the SSL certificate. Useful as a value for any property in this table. |
LDAP query session variables
When the LDAP Query access policy item runs, it populates session variables which are then available for use in access policy rules. The tables list the session variables for the LDAP query access policy item and for a logon access policy item.
Session variables for LDAP query
Session Variable | Description |
---|---|
session.ldap.last.queryresult | Provides the result of the LDAP query. The available values are:
|
session.ldap.last.attr.$attr_name | $attr_name is a value that represents the user's attributes received during LDAP/query. Each attribute is converted to separate session variables. |
session.ldap.last.errmsg | Contains only a simple error message for the last error generated for LDAP. |
session.ldap.last.errmsgext | Useful for troubleshooting. At any log level, contains extended error information for the last error message generated for LDAP. |
Common session variables
Session Variable | Description |
---|---|
session.logon.last.username | Provides user credentials. The username string is stored after encrypting, using the system's client key. |
session.logon.last.password | Provides user credentials. The password string is stored after encrypting, using the system's client key. |
LDAP authentication and query troubleshooting tips
You might run into problems with LDAP authentication and query in some instances. Follow these tips to try to resolve any issues you might encounter.
LDAP auth and query troubleshooting
Possible error messages | Possible explanations and corrective actions |
---|---|
LDAP auth failed |
|
LDAP query failed |
|
Additional troubleshooting tips for LDAP authentication
You should | Steps to take |
---|---|
Check that your access policy is attempting to perform authentication |
Note: Make sure that your log level is set to the appropriate level. The default log level is notice
|
Confirm network connectivity |
|
Confirm network connectivity |
|
Check the LDAP server configuration |
Note: A good test is to use full administrative credentials with all rights. If that works, you can use less powerful credentials for verification.
|
Capture a tcpdump | Use the tcpdump utility on the BIG-IP system to record activities between Access Policy Manager® and the authentication server when authentication attempts are made.
Important: If you decide to escalate the issue to customer support, you must provide a capture of the tcpdump when you encounter authentication issues that you cannot otherwise resolve on your own.
|