Hi there,I have F5 LB with LTM only provisioned. Can I add more than one Remote LDAP server for Authentication. I believe we need APM provisioned and need to configure VIP for ldap with server pool can provide redundancy. But we donot have APM license.

You can use the FQDN as mentions in K11072: Important: In 9.4.8 and later, if you have configured SSL and a Trusted CA, you must set the value of the Host option to an FQDN, such as ldap.example.com, rather than an IP address. The FQDN must match the FQDN embedded in the CN (CommonName) attribute of the X509 subject of the certificate presented by the Active Directory LDAP server. For example, an LDAP server may present a certificate that includes the following subject data: Here is how to configure the F5 to resolve hostnames: https://support.f5.com/csp/article/K13205 If you have DNS/GTM module it will return in the DNS responce only the ldap servers that are up as GTM/DNS has health monitoring.

You can use the F5 PAM module without APM but I think it will be removed in reallly new versions as they are present in 13.1 but I don't know for the newer versions after that but you can see. https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-profiles-reference-13-1-0/7.html https://clouddocs.f5.com/api/irules/AUTH__authenticate.html Example Auth: https://devcentral.f5.com/s/articles/http-basic-access-authentication-irule-style https://devcentral.f5.com/s/articles/client-auth-using-html-forms https://devcentral.f5.com/s/articles/client-auth-using-http-cookie Edit: Extra usefull article: https://support.f5.com/csp/article/K15906

Thank you for sharing the information in the link.But still if we talk about LTM only module provisioned , does it allow me to add more than one LDAP server for redundancy. I need to know the answer for my requirement else I would prefer Tacacs+ as an remote user auth tool.

For what are you talking for authentication to the F5 device itself or for authntication of the client traffic when connecting to an f5 VIP? For authentication of transit traffic to the F5 VS VIP servers have you checked https://support.f5.com/csp/article/K15906 ? As you see to be able to add more than one servers in the brakets. ltm auth ldap ldap_config { search-base-dn ou=Users,dc=askf5,dc=pslab,dc=local servers { 172.24.171.1 } } Also have you tested creating an LDAP VIP with pool and maybe refernce the VIP ip address in the Auth profile or for the F5 GUI in the system tab? You may also use priority groups to use just the first pool member if active: https://devcentral.f5.com/s/articles/controlling-a-pool-members-ratio-and-priority-group-with-icontrol https://support.f5.com/csp/article/K13525153 https://techdocs.f5.com/en-us/bigip-14-1-0/big-ip-local-traffic-management-basics-14-1-0/about-pools.html For the F5 GUI authentication with LDAP: https://support.f5.com/csp/article/K11072

I need to authenticate admin console of F5 and not the Application traffic. This support document https://support.f5.com/csp/article/K11199 woks for me which gives my answer.The support doc https://support.f5.com/csp/article/K11072 shared by you gives me the configuration steps. Thanks for your reply.But there is a twist , we have 90 LDAP servers for Authenticating F5 admin console and we cannot add each one of it. Can we use just hostname reps.hed.net instead of creating pools and this hostname would query one of the LDAP server for AAA.

Can we add more than one Remote LDAP server in LTM for Authentication

Nikoolayy1
MVP
Jun 28, 2021
You can use the F5 PAM module without APM but I think it will be removed in reallly new versions as they are present in 13.1 but I don't know for the newer versions after that but you can see.

https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-profiles-reference-13-1-0/7.html

https://clouddocs.f5.com/api/irules/AUTH__authenticate.html

Example Auth:

https://devcentral.f5.com/s/articles/http-basic-access-authentication-irule-style

https://devcentral.f5.com/s/articles/client-auth-using-html-forms

https://devcentral.f5.com/s/articles/client-auth-using-http-cookie

Edit:

Extra usefull article:

https://support.f5.com/csp/article/K15906
DK_BOSS
Nimbostratus
Jun 29, 2021
Thank you for sharing the information in the link.
But still if we talk about LTM only module provisioned , does it allow me to add more than one LDAP server for redundancy. I need to know the answer for my requirement else I would prefer Tacacs+ as an remote user auth tool.
- Nikoolayy1
  MVP
  Jun 29, 2021
  For what are you talking for authentication to the F5 device itself or for authntication of the client traffic when connecting to an f5 VIP?
  
  For authentication of transit traffic to the F5 VS VIP servers have you checked https://support.f5.com/csp/article/K15906 ? As you see to be able to add more than one servers in the brakets.
  
  ltm auth ldap ldap_config {
  search-base-dn ou=Users,dc=askf5,dc=pslab,dc=local
  servers { 172.24.171.1 }
  }
  
  Also have you tested creating an LDAP VIP with pool and maybe refernce the VIP ip address in the Auth profile or for the F5 GUI in the system tab? You may also use priority groups to use just the first pool member if active:
  
  https://devcentral.f5.com/s/articles/controlling-a-pool-members-ratio-and-priority-group-with-icontrol
  
  https://support.f5.com/csp/article/K13525153
  
  https://techdocs.f5.com/en-us/bigip-14-1-0/big-ip-local-traffic-management-basics-14-1-0/about-pools.html
  
  For the F5 GUI authentication with LDAP:
  
  https://support.f5.com/csp/article/K11072
DK_BOSS
Nimbostratus
Jun 30, 2021
I need to authenticate admin console of F5 and not the Application traffic.
This support document https://support.f5.com/csp/article/K11199 woks for me which gives my answer.

The support doc https://support.f5.com/csp/article/K11072 shared by you gives me the configuration steps. Thanks for your reply.

But there is a twist , we have 90 LDAP servers for Authenticating F5 admin console and we cannot add each one of it. Can we use just hostname reps.hed.net instead of creating pools and this hostname would query one of the LDAP server for AAA.
- Nikoolayy1
  MVP
  Jun 30, 2021
  You can use the FQDN as mentions in K11072:
  
  Important: In 9.4.8 and later, if you have configured SSL and a Trusted CA, you must set the value of the Host option to an FQDN, such as ldap.example.com, rather than an IP address. The FQDN must match the FQDN embedded in the CN (CommonName) attribute of the X509 subject of the certificate presented by the Active Directory LDAP server. For example, an LDAP server may present a certificate that includes the following subject data:
  
  Here is how to configure the F5 to resolve hostnames:
  
  https://support.f5.com/csp/article/K13205
  
  If you have DNS/GTM module it will return in the DNS responce only the ldap servers that are up as GTM/DNS has health monitoring.
  - DK_BOSS
    Nimbostratus
    Jun 30, 2021
    Perfect, will consider. Initially we will be using plain text for comm. And later with SSL.
    
    Thank you so much for your support.

Forum Discussion

Can we add more than one Remote LDAP server in LTM for Authentication

Recent Discussions

Application only need to access from 2 uris

In Radius auth, how to allow second attempt of token input when the first input is incorrect?

AS3 Limitations

Unable to install firmware OS and drop at 10%

Statistics ›› Analytics : HTTP : Overview

Related Content

Automated backup F5 configuration to remote server

F5 remote logging server

Two-Factor Authentication – Remote Desktop Gateway

Simple HTTP Authentication server

vBulletin Pre-Authentication – Remote Code Execution (CVE-2019-16759)

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS