Manual Chapter : Active Directory User Authentication

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 6.1.0
Manual Chapter

Active Directory User Authentication

Use my Active Directory Domain Controller to authenticate BIG-IQ users

F5 BIG-IQ Centralized Management can verify user credentials against your company's Active Directory Domain Controller using one of these methods, with certificate validation:
  • StartTLS - (with server certificate validation enabled) This is the recommended and most secure method.
  • LDAPS - Typically used for connections to older servers, such as those running LDAPv2

After you set up BIG-IQ to use your Active Directory as an authentication provider, you can create local users and user groups mapped to the corresponding ones on your domain controller.

Before integrating BIG-IQ with your Active Directory Domain Controller for authentication

Before integrating Active Directory Domain Controller (DC) authentication with the F5 BIG-IQ Centralized Management system, you must gather the following information.

Required information Notes
Fully Qualified Domain Name (FQDN) of the Active Directory DC

For the SSL server certificate validation to succeed, you must use a FQDN. For example: activedirectory.example.com.

The FQDN must match the FQDN in the CN (Common Name) attribute of the subject of the X509 certificate for the authentication server. For example, the server might present a certificate that includes the following subject data: Subject: C=US, ST=Washington, L=Seattle, O=activedir1, OU=F5 Networks, CN=activedirectory.example.com/emailAddress=activedirectory@example.com

If the value of the host name does not match the FQDN in the CN field, authentication will fail. Specifying an IP address instead of a FQDN results in such a mismatch.

Port of the Active Directory DC The default port is 389 for StartTLS and 636 for LDAPS, unless otherwise specified. If your Active Directory DC uses an alternate (non-standard port), you need to specify it in the authentication provider settings.
Active Directory DC's SSL certificate

For the BIG-IQ to trust the SSL certificate presented by your Active Directory DC, you must provide a PEM-formatted certificate in the authentication provider settings. To establish the SSL connection to the Active Directory server, the BIG-IQ must trust any one of the SSL certificates in the chain presented by the server during the SSL handshake.

As an alternative to the Active Directory DC's SSL certificate, you can use the issuing CA’s SSL certificate instead. A typical scenario where the issuing CA’s certificate is used instead, is when a domain controller uses multiple servers, each with a different certificate. In this case, all the certificates would have the same issuing CA, often the company’s own CA.

Root Distinguished Name

This is the Root DN for your directory. The BIG-IQ uses it as the starting point in the directory when it searches for users and groups.

Active Directory users

You'll need to create BIG-IQ users and groups that map to the remote users on the Active Directory DC.

Important:

User access to certain BIG-IQ screens and features is dependent on the BIG-IQ roles you associate to the user. You can also manage user access based on the roles associated to the groups the user belongs to on your Active Directory server.

To manage access for a user authenticated against the remote Active Directory, choose one of the following options:

  • Add the user to a BIG-IQ role.

  • Create a BIG-IQ group mapped to an Active Directory group the user is a member of and add that group to a BIG-IQ role.

Review the users and groups in your directory's structure and determine where they are located in the organizational units (OUs). Then, decide how you want to map those names to your BIG-IQ users and groups.To authenticate a user against the Active Directory domain controller, you have to provide a User Bind Template in the User Principal Name (UPN) format. For example, {username}@domainname.example.com. As an alternative to the UPN format, you can also specify the User Bind Template in the Down-Level Logon Name format. For example, domainname\{username}. When a user logs in, BIG-IQ inserts the user name into the template in place of the {username} token, and the resulting bind name is used to bind to the directory. For example, user John Smith logs in as user jsmith, thus his bind name is jsmith@domainname.example.com. He logs in and is correctly authenticated with his user name and password in the directory through this bind name.
Active Directory groups

The Bind User is not required for authentication, but must be provided to search for groups. The bind name is obtained by replacing the {username} token in the User Bind Template with the Bind User. If your company does not allow dedicated bind accounts, any directory user with permissions to search the directory for groups can be used to bind instead.

Set up BIG-IQ to use Active Directory for user authentication and authorization

Before setting up BIG-IQ to authenticate users against your Active Directory Domain Controller, gather the information outlined in the section titled, Before integrating BIG-IQ with your Active Directory Domain Controller.
You can configure BIG-IQ to use one or more of your company's Active Directory Domain Controller(s) to authenticate and authorize BIG-IQ users. Some fields are already pre-populated with values that work well for most Active Directory DCs with standard configurations and schemas. If your Active Directory schema is customized, feel free to change these default values to match its settings.
  1. At the top of the screen, click System.
  2. On the left, click USER MANAGEMENT > Auth Providers .
  3. Click the Add button.
  4. From the Provider Type list, select your Active Directory.
  5. In the Name field, type a name for this new provider.
    This must be a unique name, and can be a maximum of 152 characters.
  6. In the Servers setting Host field, type or paste the FQDN of your Active Directory Domain Controller and specify the port.

    By default, BIG-IQ uses port 636 for LDAPS and 389 for StartTLS. It's best to leave these defaults.

  7. From the SSL list, select how you want BIG-IQ to communicate with your Active Directory Domain Controller.
    • StartTLS - In almost all cases, you'll want to select this option, because it is the most secure option. You'll want to keep server certificate validation option enabled.
    • LDAPS - This is primarily used to connect to older servers, running an older version of the LDAP protocol (LDAPv2).
    • Disabled - This option disables SSL and is not secure and not recommended.
  8. Select the Validate SSL Certificate check box.
    This validates the end host for secure communication between BIG-IQ and your managed BIG-IP devices, as well as communication between BIG-IQ systems in a high availability configuration.
  9. In the SSL Certificate field, type or paste your Active Directory Domain Controller’s SSL certificate in PEM format.
  10. If your company supports dedicated Bind authentication, in the Bind User Distinguished Name and Bind User Password fields, type the full distinguished name and password for the dedicated bind account with directory search permissions.
  11. If your company does not support dedicated bind authentication, in the User Bind Template field, type or paste the user in the Distinguished Name format uid={username},ou=people,o=sevenSeas
  12. In the Root Distinguished Name field, type the distinguished names (DN) of the root context that contains both users and groups.
    The DN of the root context must be a full distinguished name. BIG-IQ uses it as the starting point in the directory when it searches for users and groups.
  13. For the Authentication Method setting, specify a method.
    • Simple - Select this option to require a user name and password for authentication.
    • None - Select this option to ignore the user name and password. This option is not recommended.
    Warning: No password authentication is used if you select None.
  14. For the Search Scope setting, select an option to specify the depth at which searches are made, relative to the Root Distinguished Name.
  15. In the Connect Timeout field, type the number of seconds after which the BIG-IQ system stops trying to authenticate a user or user group.
  16. In the Read Timeout field, type the number of seconds the BIG-IQ system will wait for a response to a query.
  17. The default query for the Group Search Filter setting works well for most directories that use a standard Active Directory configuration schema.

    This returns all the groups under the Root DN you provide, that match the search term for the Remote Group Filter setting on the group search screen. Feel free to modify it as needed to match your directory schema.

    For example: (&(-[[|(objectClass=posixGroup) (objectClass=groupOfUniqueNames)(objectClass=groupOfNames)) (]]-+[[objectCategory=group)(]]+cn={searchterm}+[[*]]+))

  18. For the Group Membership Filter setting, the default value works well for most Active Directory DCs that use a standard schema.

    When authenticating a user, BIG-IQ uses this query to get all of the groups on the Active Directory Domain Controller to which the user belongs. Feel free however to simplify it and leave only the one of the three clauses that matches your directory schema. In you change the query, you can use the token {userDN} anywhere the user's distinguished name should be substituted in the query and the token{username} anywhere the user’s login name should be substituted.

    On authenticating a user, the BIG-IQ needs to retrieve from the Active Directory all the groups the user is a member of. It uses the Group Membership User Attribute query for that. The default value, memberof, will work well for most Active Directory controllers that use a standard schema. Feel free to modify it as needed to match your directory schema.

  19. If you don't want the authentication provider to display on the BIG-IQ log in screen, for the Hide Provider setting, select the Hide provider on login screen check box.
  20. To verify these provider settings, type a user and password, and click the Test button.

Add a BIG-IQ user authenticated by my Active Directory and associate it with a role

Before you add a user authenticated against your Active Directory Domain Controller, you must have your Active Director DC settings configured on BIG-IQ.

Once you decide exactly which users you want to perform certain tasks, you can provide them access to particular areas of BIG-IQ by adding them as local users and assigning them the appropriate built-in or custom roles. You can assign as many roles as required to cover the user's responsibilities.

For the Active Directory-authenticated user to access BIG-IQ, you must put the local user in a BIG-IQ role, or put in a role a local group mapped to one of the user’s groups on the Active Directory Domain Controller.

  1. At the top of the screen, click System.
  2. On the left, click USER MANAGEMENT > Users .
  3. Click the Add button.
  4. From the Provider Type list, select your Active Directory.
  5. In the User Name field, type the name of the Active Directory user.
  6. In the Full Name field, type the name to identify the user from BIG-IQ.

    The full name can contain a combination of symbols, letters, numbers and spaces.

  7. For the Roles setting, from the Available list, select each user role you want to associate with this user, and move it to the Selected list.
    Important: Be sure to let your users know that their access to certain parts of the BIG-IQ user interface depends on which role they are assigned.
  8. Click the Save & Close button.
Important: If this BIG-IQ is part of an HA pair, you must log in to the secondary BIG-IQ system, click System -> BIG-IQ HA, click the BIG-IQ HA Settings button, then click the Log Out & Refresh button. This procedure is required because BIG-IQ handles users and user groups differently than other data synchronized between BIG-IQ systems in an HA pair. If you don't perform this procedure, this new user cannot successfully log in to the secondary system.

Create an Active Directory Domain Controller-authenticated user group

Important: For the Active Directory-authenticated user to access BIG-IQ, you must put the local user in a BIG-IQ role, or in a role a local group that is mapped to one of the user’s groups on the Active Directory DC.
As an alternative to assigning roles to individual users, you can assign roles through the remote Active Directory groups they are members of. This way, you can establish one set of permissions and manage multiple (Active Directory-authenticated) users' ability to access the BIG-IQ features by assigning them to the group.
  1. At the top of the screen, click System.
  2. At the left, click USER MANAGEMENT > User Groups .
    The User Groups screen opens.
  3. Click the Add button.
  4. From the Auth Provider list, select your Active Directory auth provider.
  5. There are two ways to specify the remote group to map to:
    • If you specified a bind user and a group search filter for authentication, then type a term to filter into the Remote Group Filter field (for example, *Engineers*). Alternatively, you can leave it blank, or use the wildcard * to return all groups. Then click the Search button to view the list.

      The default Group Search Filter query, (&(objectCategory=group)(cn={searchterm}*)), works well for most Active Directory controllers that use a standard schema. This query returns all the groups under the provided Root DN that match the search term entered as the Remote Group Filter expression on the group search page. You can modify this query as needed to match your directory schema.

    • If you have not configured these options, in the Group Distinguished-[[-[[-[[+[[ Name]]+]]-+[[ Name]]+]]-+[[ Name]]+]]-+[[ Name]]+ field, type the exact name of the group.
  6. Click the Save & Close button.
Important: If this BIG-IQ is part of an HA pair, you must log in to the secondary BIG-IQ system, click System -> BIG-IQ HA, click the BIG-IQ HA Settings button, then click the Log Out & Refresh button. This procedure is required because BIG-IQ handles users and user groups differently than other data synchronized between BIG-IQ systems in an HA pair. If you don't perform this procedure, this new user cannot successfully log in to the secondary system.