Manual Chapter :
Configuring Remote LDAP Authentication
Applies To:
Show Versions
BIG-IP LTM
- 15.0.1, 15.0.0
Configuring Remote LDAP Authentication
Overview of remote LDAP authentication for application traffic
As an administrator in a large computing environment, you can set up the BIG-IP system to use
this server to authenticate any network traffic passing through the BIG-IP system. This type of
traffic passes through a virtual server and through Traffic Management Microkernel (TMM)
interfaces. Remote authentication servers typically use one of these protocols:
- Lightweight Directory Access Protocol (LDAP)
- Remote Authentication Dial-in User Service (RADIUS)
- TACACS+ (derived from Terminal Access Controller Access Control System [TACACS])
- Online Status Certificate Protocol (OCSP)
- Certificate Revocation List Distribution Point (CRLDP)
To configure remote authentication for this type of traffic, you must create a configuration object and a
profile that correspond to the type of authentication server you are using to store your user
accounts. For example, if your remote authentication server is an LDAP server, you create an LDAP
configuration object and an LDAP profile. When implementing a RADIUS, SSL OCSP, or CRLDP
authentication module, you must also create a third type of object. For RADIUS and CRLDP
authentication, this object is referred to as a server object. For SSL OCSP authentication, this
object is referred to as an OCSP responder.
For remote LDAP authentication, the BIG-IP system
provides two different LDAP modules, one of which includes support for SSL. For security reasons,
F5 strongly recommends that you use the SSL Client Certificate LDAP authentication module instead
of the less-secure LDAP module. This ensures that: certain data sent between the BIG-IP system
and the LDAP server is protected, the bind password is stored securely, and the BIG-IP system
verifies the identity of the LDAP server.
Task summary
for configuring remote LDAP authentication
To configure remote authentication for LDAP traffic, you must create a configuration
object and a profile that correspond to the LDAP authentication server
you are using to store your user accounts. You must also modify the relevant virtual server.
Use of this non-SSL LDAP authentication module is not
secure. For security reasons, F5 strongly recommends that you use the SSL Client Certificate LDAP authentication module instead. This ensures that: certain data sent between the BIG-IP system and the
LDAP server is protected, the bind password is stored securely, and the BIG-IP system
verifies the identity of the LDAP server.
Creating an LDAP configuration object for authenticating application traffic
remotely
An
LDAP configuration object
specifies information that the BIG-IP
system needs to perform the remote authentication. For example, the configuration object
specifies the remote LDAP tree that the system uses as the source location for the
authentication data.
Use of this non-SSL LDAP authentication module is not
secure. For security reasons, F5 strongly recommends that you use the SSL Client Certificate LDAP authentication module instead. This ensures that: certain data sent between the BIG-IP system and the
LDAP server is protected, the bind password is stored securely, and the BIG-IP system
verifies the identity of the LDAP server.
- On the Main tab of the navigation pane, click .
- From the Authentication menu, chooseConfigurations.
- ClickCreate.
- In theNamefield, type a unique name for the configuration object, such asmy_ldap_config.
- From theTypelist, selectLDAP.
- In theRemote LDAP Tree field, type the file location (tree) of the user authentication database on the LDAP or Active Directory server.At a minimum, you must specify a domain component (that is,dc=value).
- In theHostsfield, type the IP address of the remote LDAP or Active Directory server.
- ClickAdd.The IP address of the remote LDAP or Active Directory server appears in theHostsarea.
- Retain or change theService Portvalue.
- Retain or change theLDAP Versionvalue.
- ClickFinished.
You now have an LDAP configuration object that the LDAP authentication profile can
reference.
Creating a custom LDAP profile
The next task in configuring LDAP-based or Active Directory-based remote
authentication on the BIG-IP system is to create a custom LDAP
profile.
- On the Main tab, click .The Profiles list screen opens.
- ClickCreate.The New Authentication Profile screen opens.
- In theNamefield, type a unique name for the profile.
- SelectLDAPfrom theTypelist.
- Selectldapin theParent Profilelist.
- Select the LDAP configuration object that you created from theConfigurationlist.
- ClickFinished.
The custom LDAP profile appears in the
Profiles
list.Modifying a virtual server for LDAP authentication
The final task in the process of implementing authentication using a remote LDAP
server is to assign the custom LDAP profile and a default LDAP authentication iRule to a
virtual server that is configured to process HTTP traffic (that is, a virtual server to
which an HTTP profile is assigned).
- On the Main tab, click .The Virtual Server List screen opens.
- Click the name of a Standard type of virtual server to which an HTTP profile is assigned.
- From theConfigurationlist, selectAdvanced.
- For theAuthentication Profilessetting, in theAvailablefield, select a custom LDAP profile, and using theMovebutton, move the custom LDAP profile to theSelectedfield.
- ClickUpdateto save the changes.
The virtual server is assigned the custom LDAP profile.
