For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Josh_41258's avatar
Josh_41258
Icon for Nimbostratus rankNimbostratus
Oct 21, 2011

Allow/Block access based on LDAP/AD Query

Hi,

 

 

My goal is to create an iRule or other mechanism that would allow or block access to a particular VIP. I'd like to query my Active Directory to see if a user is in a particular OU or Security Group, and allow/block access based on this criteria.

 

 

Is this even possible? If so, can someone give me some pointers?

 

 

Thanks!

 

application delivery
dev
devops
iRules

4 Replies

  • Michael_Yates's avatar
    Michael_Yates
    Icon for Nimbostratus rankNimbostratus
    Oct 21, 2011
    Hi Josh,

     

     

    Try one of the following based on your LTM Version:

     

    (v9.3.x -):

     

    BIG-IP Local Traffic Manager version 9.3 Implementations: Configuring Remote Authentication for Application Traffic

     

    https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip9_3implementations/BIG_IP_9_3_Implementations_Gd-24-1.html

     

     

    (v10.2.x):

     

    Configuring Remote Authentication for Application Traffic

     

    http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm_implementation/sol_app_auth.html?sr=17218594

     

     

    Hope this helps.
  • Josh_41258's avatar
    Josh_41258
    Icon for Nimbostratus rankNimbostratus
    Oct 21, 2011
    Thanks, looks promising! Can I specify an LDAP object/group/etc that I do NOT want to be able to access a certain VIP? Or, is my only option to specify groups that CAN access the VIP? My ultimate goal needs to allow access to the VIP for everyone EXCEPT members of a certain group/OU/ldap resource/etc.

     

     

    Thanks
  • Josh_41258's avatar
    Josh_41258
    Icon for Nimbostratus rankNimbostratus
    Oct 21, 2011
    Thanks, looks promising! Can I specify an LDAP object/group/etc that I do NOT want to be able to access a certain VIP? Or, is my only option to specify groups that CAN access the VIP? My ultimate goal needs to allow access to the VIP for everyone EXCEPT members of a certain group/OU/ldap resource/etc.

     

     

    Thanks
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Oct 22, 2011
    is my only option to specify groups that CAN access the VIP?i have never done but i understand the following is applicable.

     

     

    LDAP authentication with specific attribute

     

    http://devcentral.f5.com/Community/GroupDetails/tabid/1082223/asg/52/aft/813305/showtab/groupforums/Default.aspx

     

     

    My ultimate goal needs to allow access to the VIP for everyone EXCEPT members of a certain group/OU/ldap resource/etc.not sure if not (!) is usuable in filter. can you try?