You can use the F5 PAM module without APM but I think it will be removed in reallly new versions as they are present in 13.1 but I don't know for the newer versions after that but you can see.
Thank you for sharing the information in the link.
But still if we talk about LTM only module provisioned , does it allow me to add more than one LDAP server for redundancy. I need to know the answer for my requirement else I would prefer Tacacs+ as an remote user auth tool.
For what are you talking for authentication to the F5 device itself or for authntication of the client traffic when connecting to an f5 VIP?
For authentication of transit traffic to the F5 VS VIP servers have you checked https://support.f5.com/csp/article/K15906 ? As you see to be able to add more than one servers in the brakets.
Also have you tested creating an LDAP VIP with pool and maybe refernce the VIP ip address in the Auth profile or for the F5 GUI in the system tab? You may also use priority groups to use just the first pool member if active:
I need to authenticate admin console of F5 and not the Application traffic.
This support document https://support.f5.com/csp/article/K11199 woks for me which gives my answer.
The support doc https://support.f5.com/csp/article/K11072 shared by you gives me the configuration steps. Thanks for your reply.
But there is a twist , we have 90 LDAP servers for Authenticating F5 admin console and we cannot add each one of it. Can we use just hostname reps.hed.net instead of creating pools and this hostname would query one of the LDAP server for AAA.
Important: In 9.4.8 and later, if you have configured SSL and a Trusted CA, you must set the value of the Host option to an FQDN, such as ldap.example.com, rather than an IP address. The FQDN must match the FQDN embedded in the CN (CommonName) attribute of the X509 subject of the certificate presented by the Active Directory LDAP server. For example, an LDAP server may present a certificate that includes the following subject data:
Here is how to configure the F5 to resolve hostnames:
Yes and keep in mind that the APM is for remote VPN, advanced authentication of transit traffic for the Virtual servers that the LTM can't do (As I mentioned for now the LTM has basic options with auth profiles that are a legacy thing) and posture checks, so in your case it wouldn't provide anything more for the F5 web ineterface/sh cli autentication.
