Forum Discussion
RiverFish
Altostratus
AltostratusLDAP/AD authentication
My manager has assigned the task below to me. I am on LTM version 11.3. I saw the iApp LDAP template that comes with ver 11.3 but I don't think it will work for my scenario. Any help would be much appreciated...
Scenario: We have some devices that will use LDAP/AD for authentication, but don't have the capability of doing "bound" LDAP. It is desired if possible to create an F5-based mechanism that can bind to AD and proxy the LDAP authentication requests. It is anticipated that this will be deployed in both datacenters.
In this context "bound" and "bind" mean that AD won't agree to discuss authentication with you unless you have provided credentials that have permissions to do that. The process of providing those credentials is called "binding".
Thank you.
3 Replies
- Kevin_Stewart
Employee
The LDAP iApp is for load balancing LDAP resources. Are you saying that your devices won't be able to perform bound LDAP queries, so you want the F5 to proxy the LDAP requests, as in BIND and perform the queries on the device's behalf?
Have you considered enabling anonymous LDAP queries to AD (http://windowsitpro.com/active-directory/q-how-do-i-enable-anonymous-ldap-binds-windows-server-2008-active-directory-ad)? Otherwise, the best option is to use the Access Policy Manager module (APM) to perform an LDAP bind and proxy. 
RiverFishPosted By Kevin Stewart on 04/26/2013 07:37 AM
Are you saying that your devices won't be able to perform bound LDAP queries, so you want the F5 to proxy the LDAP requests, as in BIND and perform the queries on the device's behalf? Yes, that is correct. I believe anonymous ldap queries are not an option for us. I will see if my company is willing to purchase APM. If not, is it even possible to write an iRule that will do ldap bind and proxy? I saw this: https://devcentral.f5.com/wiki/iRules.LDAPProxy.ashx- RiverFishIs it possible to inject the "binding" information into "unbound" client traffic using an iRule or Stream profile?
