F5 Logo MyF5
Search
  1. MyF5 Home
  2. Knowledge Centers
  3. BIG-IP LTM
  4. BIG-IP Local Traffic Manager: Implementations
  5. Configuring Remote SSL LDAP Authentication
Manual Chapter : Configuring Remote SSL LDAP Authentication

Applies To:

Show Versions Show Versions
Manual Chapter
Table of Contents | << Previous Chapter | Next Chapter >>

Configuring Remote SSL LDAP Authentication

Overview of remote SSL LDAP authentication for application traffic

As an administrator in a large computing environment, you can set up the BIG-IP system to use this server to authenticate any network traffic passing through the BIG-IP system. This type of traffic passes through a virtual server and through Traffic Management Microkernel (TMM) interfaces. Remote authentication servers typically use one of these protocols:

  • Lightweight Directory Access Protocol (LDAP)
  • Remote Authentication Dial-in User Service (RADIUS)
  • TACACS+ (derived from Terminal Access Controller Access Control System [TACACS])
  • Online Status Certificate Protocol (OCSP)
  • Certificate Revocation List Distribution Point (CRLDP)

To configure remote authentication for this type of traffic, you must create a configuration object and a profile that correspond to the type of authentication server you are using to store your user accounts. For example, if your remote authentication server is an LDAP server, you create an LDAP configuration object and an LDAP profile. When implementing a RADIUS, SSL OCSP, or CRLDP authentication module, you must also create a third type of object. For RADIUS and CRLDP authentication, this object is referred to as a server object. For SSL OCSP authentication, this object is referred to as an OCSP responder.

Important: For remote LDAP authentication, the BIG-IP system provides two different LDAP modules, one of which includes support for SSL. For security reasons, F5 strongly recommends that you use the SSL Client Certificate LDAP authentication module instead of the less-secure LDAP module. This ensures that: certain data sent between the BIG-IP system and the LDAP server is protected, the bind password is stored securely, and the BIG-IP system verifies the identity of the LDAP server.

Task summary for configuring remote SSL Client Certificate LDAP authentication

To configure remote authentication for LDAP traffic, you must create a configuration object and a profile that correspond to the type of authentication server you are using to store your user accounts.

Important: For security reasons, F5 strongly recommends that you use this SSL Client Certificate LDAP authentication module instead of the less-secure LDAP authentication module when configuring remote LDAP authentication. This ensures that: certain data sent between the BIG-IP system and the LDAP server is protected, the bind password is stored securely, and the BIG-IP system verifies the identity of the LDAP server.

Creating an LDAP Client Certificate SSL configuration object

An SSL Client Certificate LDAP configuration object is part of the SSL Client Certificate LDAP authentication module and specifies information that the BIG-IP system needs to perform remote LDAP authentication. This configuration object is one of the required objects you need as a way to impose certificate-based access control on application traffic.

  1. On the Main tab of the navigation pane, click Local Traffic > Profiles .
  2. From the Authentication menu, choose Configurations.
  3. Click Create.
  4. In the Name field, type a unique name for the configuration object, such asmy_ssl_ldap_config.
  5. From the Type list, select SSL Client Certificate LDAP.
  6. In the Hostsfield, type an IP address for the remote LDAP authentication server storing the authentication data, and click Add.
    The IP address appears in the Hosts area of the screen.
  7. Repeat the previous step for each LDAP server you want to use.
  8. From the Search Type list, select one of the following:
    Option Description
    User Choose this option if you want the system to extract a user name from the client certificate and search for that user name in the remote LDAP database.
    Certificate Map Choose this option if you want the system to search for an existing user-certificate mapping in the remote LDAP database.
    Certificate Choose this option if you want the system to search for a certificate stored in the user's profile in the remote LDAP database.
  9. Click Finished.
You now have a configuration object that an SSL Client Certificate LDAP profile can reference.

Creating a custom SSL Client Certificate LDAP profile

An SSL Client Certificate LDAP profile is part of the SSL Client Certificate authentication module. Use this task to create a custom SSL Client Certificate LDAP profile.
  1. On the Main tab, click Local Traffic > Profiles > Authentication > Profiles .
    The Profiles list screen opens.
  2. Click Create.
    The New Authentication Profile screen opens.
  3. In the Name field, type a unique name for the profile.
  4. Select the Custom check box.
  5. Select SSL Client Certificate LDAP from the Type list.
  6. Select ssl_cc_ldap in the Parent Profile list.
  7. Select the name of a LDAP configuration object from the Configuration list.
  8. Click Finished.
The custom SSL Client Certificate LDAP profile appears in the Profiles list.

Modifying a virtual server for SSL Client Certificate LDAP authorization

The final task in the process of implementing authorization using a remote LDAP server is to assign the custom SSL Client Certificate LDAP profile and a default LDAP authentication iRule to a virtual server that is configured to process HTTP traffic (that is, a virtual server to which an HTTP profile is assigned).
  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the name of a Standard-type virtual server to which an HTTP server profile is assigned.
  3. From the Configuration list, select Advanced.
  4. For the Authentication Profiles setting, in the Available field, select a custom SSL Client Certificate LDAP profile, and using the Move button, move the custom SSL Client Certificate LDAP profile to the Selected field.
  5. Click Update to save the changes.
The virtual server is assigned the custom SSL Client Certificate LDAP profile.
Table of Contents | << Previous Chapter | Next Chapter >>
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5 Networks, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information