Forum Discussion
NimbostratusCan we add more than one Remote LDAP server in LTM for Authentication
Hi there,
I have F5 LB with LTM only provisioned. Can I add more than one Remote LDAP server for Authentication.
I believe we need APM provisioned and need to configure VIP for ldap with server pool can provide redundancy. But we donot have APM license.
8 Replies
- Nikoolayy1
MVP
You can use the F5 PAM module without APM but I think it will be removed in reallly new versions as they are present in 13.1 but I don't know for the newer versions after that but you can see.
https://clouddocs.f5.com/api/irules/AUTH__authenticate.html
Example Auth:
https://devcentral.f5.com/s/articles/http-basic-access-authentication-irule-style
https://devcentral.f5.com/s/articles/client-auth-using-html-forms
https://devcentral.f5.com/s/articles/client-auth-using-http-cookie
Edit:
Extra usefull article:
https://support.f5.com/csp/article/K15906
DK_BOSSThank you for sharing the information in the link.
But still if we talk about LTM only module provisioned , does it allow me to add more than one LDAP server for redundancy. I need to know the answer for my requirement else I would prefer Tacacs+ as an remote user auth tool.
- Nikoolayy1
For what are you talking for authentication to the F5 device itself or for authntication of the client traffic when connecting to an f5 VIP?
For authentication of transit traffic to the F5 VS VIP servers have you checked https://support.f5.com/csp/article/K15906 ? As you see to be able to add more than one servers in the brakets.
ltm auth ldap ldap_config {
search-base-dn ou=Users,dc=askf5,dc=pslab,dc=local
servers { 172.24.171.1 }
}
Also have you tested creating an LDAP VIP with pool and maybe refernce the VIP ip address in the Auth profile or for the F5 GUI in the system tab? You may also use priority groups to use just the first pool member if active:
https://support.f5.com/csp/article/K13525153
For the F5 GUI authentication with LDAP:
- DK_BOSS
I need to authenticate admin console of F5 and not the Application traffic.
This support document https://support.f5.com/csp/article/K11199 woks for me which gives my answer.
The support doc https://support.f5.com/csp/article/K11072 shared by you gives me the configuration steps. Thanks for your reply.
But there is a twist , we have 90 LDAP servers for Authenticating F5 admin console and we cannot add each one of it. Can we use just hostname reps.hed.net instead of creating pools and this hostname would query one of the LDAP server for AAA.
- Nikoolayy1
You can use the FQDN as mentions in K11072:
Important: In 9.4.8 and later, if you have configured SSL and a Trusted CA, you must set the value of the Host option to an FQDN, such as ldap.example.com, rather than an IP address. The FQDN must match the FQDN embedded in the CN (CommonName) attribute of the X509 subject of the certificate presented by the Active Directory LDAP server. For example, an LDAP server may present a certificate that includes the following subject data:
Here is how to configure the F5 to resolve hostnames:
https://support.f5.com/csp/article/K13205
If you have DNS/GTM module it will return in the DNS responce only the ldap servers that are up as GTM/DNS has health monitoring.
- DK_BOSS
Perfect, will consider. Initially we will be using plain text for comm. And later with SSL.
Thank you so much for your support.
