Manual Chapter :
Configuring Remote SSL LDAP Authentication
Applies To:
Show Versions
BIG-IP LTM
- 15.0.1, 15.0.0
Configuring Remote SSL LDAP Authentication
Overview of remote SSL LDAP authentication for application traffic
As an administrator in a large computing environment, you can set up the BIG-IP system to use
this server to authenticate any network traffic passing through the BIG-IP system. This type of
traffic passes through a virtual server and through Traffic Management Microkernel (TMM) interfaces. Remote authentication servers typically use one of these protocols:
- Lightweight Directory Access Protocol (LDAP)
- Remote Authentication Dial-in User Service (RADIUS)
- TACACS+ (derived from Terminal Access Controller Access Control System [TACACS])
- Online Status Certificate Protocol (OCSP)
- Certificate Revocation List Distribution Point (CRLDP)
To configure remote authentication for this type of traffic, you must
create a configuration object and a profile that correspond to the type of authentication server
you are using to store your user accounts. For example, if your remote authentication server is
an LDAP server, you create an SSL Client Certificate LDAP configuration object and an SSL Client
Certificate LDAP profile. When implementing a RADIUS, SSL OCSP, or CRLDP authentication module,
you must also create a third type of object. For RADIUS and CRLDP authentication, this object is
referred to as a server object. For SSL OCSP authentication, this object is referred to as an
OCSP responder.
For remote LDAP authentication, the BIG-IP system
provides two different LDAP modules, one of which includes support for SSL. For security reasons,
F5 strongly recommends that you use the SSL Client Certificate LDAP authentication module instead
of the less-secure LDAP module. This ensures that: certain data sent between the BIG-IP system
and the LDAP server is protected, the bind password is stored securely, and the BIG-IP system
verifies the identity of the LDAP server.
Task summary
for configuring remote SSL LDAP authentication
To configure remote authentication for SSL LDAP traffic, you must create a configuration
object and a profile that correspond to the type of authentication server
you are using to store your user accounts.
Creating an LDAP Client Certificate SSL configuration object
An
SSL Client Certificate LDAP configuration object
specifies information
that the BIG-IP system needs to perform the remote authentication. This configuration object is one of the required objects you need to impose certificate-based access control on application traffic.
- On the Main tab of the navigation pane, click .
- From the Authentication menu, chooseConfigurations.
- ClickCreate.
- In theNamefield, type a unique name for the configuration object, such asmy_ssl_ldap_config.
- From theTypelist, selectSSL Client Certificate LDAP.
- In theHostsfield, type an IP address for the remote LDAP authentication server storing the authentication data, and clickAdd.The IP address appears in theHostsarea of the screen.
- Repeat the previous step for each LDAP server you want to use.
- From theSearch Typelist, select one of the following:UserChoose this option if you want the system to extract a user name from the client certificate and search for that user name in the remote LDAP database.Certificate MapChoose this option if you want the system to search for an existing user-certificate mapping in the remote LDAP database.CertificateChoose this option if you want the system to search for a certificate stored in the user's profile in the remote LDAP database.
- ClickFinished.
You now have a configuration object that an SSL Client Certificate LDAP profile can
reference.
Creating a custom SSL Client Certificate LDAP profile
The next task in configuring LDAP-based remote authentication on the BIG-IPsystem is to create a custom SSL Client Certificate LDAP
profile.
- On the Main tab, click .The Profiles list screen opens.
- ClickCreate.The New Authentication Profile screen opens.
- In theNamefield, type a unique name for the profile.
- Select theCustomcheck box.
- SelectSSL Client Certificate LDAPfrom theTypelist.
- Selectssl_cc_ldapin theParent Profilelist.
- Select the name of a LDAP configuration object from theConfigurationlist.
- ClickFinished.
The custom SSL Client Certificate LDAP profile appears in the
Profiles
list.Modifying a virtual server for SSL Client Certificate LDAP authorization
The final task in the process of implementing authorization using a remote LDAP
server is to assign the custom SSL Client Certificate LDAP profile and a default LDAP
authentication iRule to a virtual server that is configured to process HTTP traffic
(that is, a virtual server to which an HTTP profile is assigned).
- On the Main tab, click .The Virtual Server List screen opens.
- Click the name of a Standard-type virtual server to which an HTTP server profile is assigned.
- From theConfigurationlist, selectAdvanced.
- For theAuthentication Profilessetting, in theAvailablefield, select a custom SSL Client Certificate LDAP profile, and using theMovebutton, move the custom SSL Client Certificate LDAP profile to theSelectedfield.
- ClickUpdateto save the changes.
The virtual server is assigned the custom SSL Client Certificate LDAP
profile.
