For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Jason_46956's avatar
Jason_46956
Icon for Nimbostratus rankNimbostratus
Feb 17, 2011

LDAP Password Expiry and CHanges through APM

All,     We are migrating a whole suite of applications from Aventail appliances to some new F5 appliances. To replace the Aventail authentication functionality we are using the APM module to pr...
app sec
BIG-IP Access Policy Manager (APM)
security
umiotoko_95283's avatar
umiotoko_95283
Icon for Nimbostratus rankNimbostratus
Jan 31, 2014

There is a F5 article on how to do this, but I had trouble finding it the first time (and now). Here's an external link on how to do it. http://f5admin.blogspot.com/2012/11/load-balancing-microsoft-active.html

 

Create a local VIP for your favorite LDAP port, put a pool behind it, put your LDAP servers in the pool. You'll need an LDAP monitor, this is the only tricky part. Using an LDAP debug tool (ldp.exe, or newer) you will have to create a LDAP search string to put in the monitor.

 

You will need credentials in the LDAP monitor, this calls for a dedicated service account where the credentials don't expire.

 

Some hints - we've had intermittent issues when we bind the LDAP VIP to a local network IP (say on the management or LAN segment. Suggest creating a loopback (private) segment by putting a network cable on two physical ports, then binding a non-routable segment to this loopback. Then put your VIP on this segment, now it can only be used by the F5.

 

Limit the LDAP search scope as tight as possible. If your LDAP search scope is from the top down of AD, you could have slow authentication performance while it trolls through sub-OU's looking for your user accounts. Limit the scope of the returned search data, you can minimize your return from 10kbytes to 2 or 3.

 

JoshBecigneul's avatar
JoshBecigneul
Icon for MVP rankMVP
Feb 06, 2014
I do not believe you need to attach a cable to create a non-routable network segment. I would imagine the only time you may need to use a cable is in an active-active scenario, where either unit may need access to the virtual services in that range. If you are only running active-standby, then I believe you could forgo assigning an interface to the VLAN entirely.