Manual Chapter : Configuring Remote LDAP Authentication

Applies To:

Show Versions Show Versions

BIG-IP LTM

  • 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1
Manual Chapter

Configuring Remote LDAP Authentication

Overview of remote LDAP authentication for application traffic

As an administrator in a large computing environment, you can set up the BIG-IP system to use this server to authenticate any network traffic passing through the BIG-IP system. This type of traffic passes through a virtual server and through Traffic Management Microkernel (TMM) interfaces. Remote authentication servers typically use one of these protocols:

  • Lightweight Directory Access Protocol (LDAP)
  • Remote Authentication Dial-in User Service (RADIUS)
  • TACACS+ (derived from Terminal Access Controller Access Control System [TACACS])
  • Online Status Certificate Protocol (OCSP)
  • Certificate Revocation List Distribution Point (CRLDP)
  • Kerberos

To configure remote authentication for this type of traffic, you must create a configuration object and a profile that correspond to the type of authentication server you are using to store your user accounts. For example, if your remote authentication server is an LDAP server, you create an LDAP configuration object and an LDAP profile. When implementing a RADIUS, SSL OCSP, or CRLDP authentication module, you must also create a third type of object. For RADIUS and CRLDP authentication, this object is referred to as a server object. For SSL OCSP authentication, this object is referred to as an OCSP responder.

Task Summary

To configure remote authentication for LDAP traffic, you must create a configuration object and a profile that correspond to the LDAP authentication server you are using to store your user accounts. You must also modify the relevant virtual server.

Task list

Creating an LDAP configuration object for authenticating application traffic remotely

An LDAP configuration object specifies information that the BIG-IP system needs to perform the remote authentication. For example, the configuration object specifies the remote LDAP tree that the system uses as the source location for the authentication data.
  1. On the Main tab of the navigation pane, click Local Traffic > Profiles .
  2. From the Authentication menu, choose Configurations.
  3. Click Create.
  4. In the Name field, type a unique name for the configuration object, such asmy_ldap_config.
  5. From the Type list, select LDAP.
  6. In the Remote LDAP Tree field, type the file location (tree) of the user authentication database on the LDAP or Active Directory server.
    At a minimum, you must specify a domain component (that is, dc= value).
  7. In the Hosts field, type the IP address of the remote LDAP or Active Directory server.
  8. Click Add.
    The IP address of the remote LDAP or Active Directory server appears in the Hosts area.
  9. Retain or change the Service Port value.
  10. Retain or change the LDAP Version value.
  11. Click Finished.
You now have an LDAP configuration object that the LDAP authentication profile can reference.

Creating a custom LDAP profile

The next task in configuring LDAP-based or Active Directory-based remote authentication on the BIG-IP® system is to create a custom LDAP profile.
  1. On the Main tab, click Local Traffic > Profiles > Authentication > Profiles .
    The Profiles list screen opens.
  2. Click Create.
    The New Authentication Profile screen opens.
  3. In the Name field, type a unique name for the profile.
  4. Select LDAP from the Type list.
  5. Select ldap in the Parent Profile list.
  6. Select the LDAP configuration object that you created from the Configuration list.
  7. Click Finished.
The custom LDAP profile appears in the Profiles list.

Modifying a virtual server for LDAP authentication

The final task in the process of implementing authentication using a remote LDAP server is to assign the custom LDAP profile and a default LDAP authentication iRule to a virtual server that is configured to process HTTP traffic (that is, a virtual server to which an HTTP profile is assigned).
  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the name of a Standard type of virtual server to which an HTTP profile is assigned.
  3. From the Configuration list, select Advanced.
  4. For the Authentication Profiles setting, in the Available field, select a custom LDAP profile, and using the Move button, move the custom LDAP profile to the Selected field.
  5. Click Update to save the changes.
The virtual server is assigned the custom LDAP profile.