Multiple LDAP Authentication Profiles?

Question

&nbsp; We are interested in configuring authentication profiles that use LDAP as a means to verify passed-in attributes from client certificates.  It will be very possible, though, that we will need to be able to search multiple LDAP servers (or at least multiple instances via different ports on the same server) to authenticate users. 
&nbsp;  
&nbsp; From the LDAP authentication profile config, it looks like you can have multiple servers/ports by just adding them to the list.  It seems to me, though, that all of these servers need to have the same tree structure in order to work, as you can only declare one user root (e.g. ou=our_ou,o=our_company.)  We will probably need one virtual server to be able to search multiple LDAP servers that have different tree structures. 
&nbsp;  
&nbsp; Is it possible to do this by applying two different LDAP authentication profiles to one virtual server?  Or is this not possible?  Any suggestions? 
&nbsp;  
&nbsp; Thanks for the help - this is one of our key feature needs in the eval.

joe_pruitt · Answer

Have you contacted F5 Product Technical Support?  DevCentral is run by the Development staff to help out with building iRules and iControl applications.  To me, this looks like a product configuration question.  If so, then F5 Product Support is much better suited to help you out. 
&nbsp;  
&nbsp; If you have a specific question related to iRules, if you can give it a first cut, and then post it up here, we can try to help you out. 
&nbsp;  
&nbsp; -Joe

tao_liu_90341 · Answer

That is possible, but you need to write your own auth rules for these  
  two auth profiles.  
    
  rule profile_rule1 {  
      when CLIENT_ACCEPTED {  
          set hold 0  
          set success 0  
          set fail 0  
          set tmm_auth_ssl_cc_ldap_sid1 [AUTH::start pam profile_name1]  
      }  
      when CLIENTSSL_CLIENTCERT {  
          if {$success == 0} {  
            AUTH::cert_credential $tmm_auth_ssl_cc_ldap_sid1 [SSL::cert 0]  
            AUTH::authenticate $tmm_auth_ssl_cc_ldap_sid1  
            if {$hold == 0} {  
              SSL::handshake hold  
              incr hold  
            }  
          }  
      }  
      when AUTH_SUCCESS {  
          if {$tmm_auth_ssl_cc_ldap_sid1 eq [AUTH::last_event_session_id]} {  
              incr success  
              if {$success == 1} {  
                SSL::handshake resume  
              }  
          }  
      }  
      when AUTH_FAILURE {  
          if {$tmm_auth_ssl_cc_ldap_sid1 eq [AUTH::last_event_session_id]} {  
              incr fail  
              if {$fail == 2} {  
                reject  
              }  
          }  
      }  
      when AUTH_WANTCREDENTIAL {  
          if {$tmm_auth_ssl_cc_ldap_sid1 eq [AUTH::last_event_session_id]} {  
              reject  
          }  
      }  
      when AUTH_ERROR {  
          if {$tmm_auth_ssl_cc_ldap_sid1 eq [AUTH::last_event_session_id]} {  
              reject  
          }  
      }  
  }

In the second rule, it looks the same, just replace "tmm_auth_ssl_cc_ldap_sid1" and "profile_name1" respectively.

Forum Discussion

Multiple LDAP Authentication Profiles?

Recent Discussions

Application only need to access from 2 uris

In Radius auth, how to allow second attempt of token input when the first input is incorrect?

AS3 Limitations

Unable to install firmware OS and drop at 10%

Statistics ›› Analytics : HTTP : Overview

Related Content

Multiple AD Authentication

SSL Profiles Part 9: Server Authentication

APM Cookbook: Multiple Domain Authentication - Part 1

LTM Authentication Profiles EOL?

F5 BIG-IP Advanced WAF – DOS profile configuration options.

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS