cancel
Showing results for 
Search instead for 
Did you mean: 

Can we add more than one Remote LDAP server in LTM for Authentication

DK_BOSS
Nimbostratus
Nimbostratus

Hi there,

I have F5 LB with LTM only provisioned. Can I add more than one Remote LDAP server for Authentication.

I believe we need APM provisioned and need to configure VIP for ldap with server pool can provide redundancy. But we donot have APM license.

8 REPLIES 8

You can use the F5 PAM module without APM but I think it will be removed in reallly new versions as they are present in 13.1 but I don't know for the newer versions after that but you can see.

 

 

 

 

https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-profiles-reference-13-1-0/7...

 

 

https://clouddocs.f5.com/api/irules/AUTH__authenticate.html

 

 

 

 

Example Auth:

 

 

https://devcentral.f5.com/s/articles/http-basic-access-authentication-irule-style

 

https://devcentral.f5.com/s/articles/client-auth-using-html-forms

 

https://devcentral.f5.com/s/articles/client-auth-using-http-cookie

 

 

 

 

Edit:

 

 

Extra usefull article:

 

 

https://support.f5.com/csp/article/K15906

DK_BOSS
Nimbostratus
Nimbostratus

Thank you for sharing the information in the link.

But still if we talk about LTM only module provisioned , does it allow me to add more than one LDAP server for redundancy. I need to know the answer for my requirement else I would prefer Tacacs+ as an remote user auth tool.​

For what are you talking for authentication to the F5 device itself or for authntication of the client traffic when connecting to an f5 VIP?

 

 

For authentication of transit traffic to the F5 VS VIP servers have you checked https://support.f5.com/csp/article/K15906 ? As you see to be able to add more than one servers in the brakets.

 

ltm auth ldap ldap_config {

   search-base-dn ou=Users,dc=askf5,dc=pslab,dc=local

   servers { 172.24.171.1 }

}

 

 

 

Also have you tested creating an LDAP VIP with pool and maybe refernce the VIP ip address in the Auth profile or for the F5 GUI in the system tab? You may also use priority groups to use just the first pool member if active:

 

 

https://devcentral.f5.com/s/articles/controlling-a-pool-members-ratio-and-priority-group-with-icontr...

 

 

https://support.f5.com/csp/article/K13525153

 

https://techdocs.f5.com/en-us/bigip-14-1-0/big-ip-local-traffic-management-basics-14-1-0/about-pools...

 

 

For the F5 GUI authentication with LDAP:

 

 

https://support.f5.com/csp/article/K11072

DK_BOSS
Nimbostratus
Nimbostratus

I need to authenticate admin console of F5 and not the Application traffic.

This support document https://support.f5.com/csp/article/K11199 woks for me which gives my answer.

The support doc ​https://support.f5.com/csp/article/K11072 shared by you gives me the configuration steps. Thanks for your reply.

But there is a twist , we have 90 LDAP servers for Authenticating F5 admin console and we cannot add each one of it. Can we use just hostname reps.hed.net instead of creating pools and this hostname would query one of the LDAP server for AAA.

You can use the FQDN as mentions in K11072:

 

Important: In 9.4.8 and later, if you have configured SSL and a Trusted CA, you must set the value of the Host option to an FQDN, such as ldap.example.com, rather than an IP address. The FQDN must match the FQDN embedded in the CN (CommonName) attribute of the X509 subject of the certificate presented by the Active Directory LDAP server. For example, an LDAP server may present a certificate that includes the following subject data:

 

 

 

 

Here is how to configure the F5 to resolve hostnames:

 

 

https://support.f5.com/csp/article/K13205

 

 

 

If you have DNS/GTM module it will return in the DNS responce only the ldap servers that are up as GTM/DNS has health monitoring.

Perfect, will consider. Initially we will be using plain text for comm. And later with SSL.

Thank you so much for your support.​

Yes and keep in mind that the APM is for remote VPN, advanced authentication of transit traffic for the Virtual servers that the LTM can't do (As I mentioned for now the LTM has basic options with auth profiles that are a legacy thing) and posture checks, so in your case it wouldn't provide anything more for the F5 web ineterface/sh cli autentication.

Thanks, that is what needed now. Basic F5 admin console Auth.