REMOTE AUTHENTICATION OF BIGIP THROUGH LDAP AND LDAPS ( MICROSOFT AD)

 

Hello Guys , Today we are going to discuss about configuration of F5's Remote Authentication using Microsoft AD over LDAP and LDAP over SSL

Firstly , To discuss about the difference between AD and LDAP , AD ( Active directory) is the database where the Schema of information present about a user for Authentication whereas LDAP is the open source protocol used to access the information present in the database 

For this Exercise , We are using Microsoft 2012 R2 server for ADDS ( Active directory Domain Services ) and also for ADCS(Active directory certificate services) and also windows 7 professional client from where we will access the BIGIP and also the BIGIP device accessed through remote authentication

what is important in configuration of ADDS?

Firstly Login to the server and change the computer name accordingly

on the start-->Run-->control panel --> System and Security --->System--->Properties--->Computer name 

I have given a Computer name to LDAPSTEST

Now Add the ADDS Feature and ADCS feature to the server 

• Go to server manager ---> Add Roles and Features ---> Check the ADDS feature --->Next
• By Default DNS server is created when adding AD so need of adding any DNS feature
• Once the ADDS is installed , In the event manager , ADDS service prompts to prompote a Domain controller 
• As we are configuring AD for the first time , Start by creating a Forest ( To understand what is forest It is a combination of one or more domains with one domain controller managing different domains ) 
• Forest name has to be fully qualified name , So I have configured ldapstest.com as the forest name 
• Then the Menu prompts for a suggested Netbios name , Accept as default
• Then Menu prompts for selected the Common name , Domain names , Select the common name as ldapstest and leave DN as default that is given 
• Then the domain will be prompted
• To see the hierarchy of my AD , Kindly check below

Go to Server manager --> Tools ---> Active directory users and forests

 

 

Here ldapstest.com is the domain in the forest and also the same server is acting as a domain controller.

I have created an organisation unit called engineering where i have created the users under that , If we see my directory hierarchy it is same as below

We are done with Configurations on AD and now LDAP listens on Non SSL port 386 

To Configure BIGIP

 

Host is the IP address of the server and port is the non-ssl port for LDAP , Remote directory tree is the LDAP hierarchy on the server , How did i found out that 

This can be easily figured out using ldp.exe , Go to server powershell and type ldp.exe and an ldp client opens

Click on Connection on the client and click on Bind --->select simple bind and add users which is created in the AD's Organization unit and give the password , Type the domain ( In my case ldapstest.com)

Click OK and once the Credentials are authenticatied on the LDP client , click on View and tree ,and input the Base DN ( which is Distinguished name ( Here in our case it is ldapstest.com) , Hierarchy will be seen

In my case I have created a user called lab in engineering OU's for LDAP bind operation

How does LDAP connection establishes and Authentciation happens

• LDAP connection from the BIGIP to LDAP server starts when we input the credentials and the first message is LDAP Bind request where BIGIP provides the CN( Common name ) The user name with which BIGIP authenticate to LDAP Server DC ( Distinguished component of the Domain name , in this case DC=ldapstest , DC=com)
• Once the credentials are authenticted BING success message is seen
• Then the client sends the SAMACCOUNTNAME that the user inputted to login to BIGIP and the that happens with a searchRequest , This search request searches the entire subdirectories provides in the DN ( in our case it searches all the hierachical directories presented in the above snapshot) and finds if the user is already present in the AD database

• If the SAMaccountname is identified in the database , Searchresponse provides the LDAP references and the attributes of the SAM account name and the client uses those references to form a bind request , On successful authentication Bind response is sent to the client and the device gets authenticated 

Drawback of LDAP is all the communication between BIGIP and the LDAP server happens over clear text just like we see in the above screenshot 

To overcome this we can use LDAP over SSL for the communication between BIGIP and the LDAP server and everything will be encrypted over a secured TLS communication

To get that , We are using ADCS ( Active directory certificate services ) to get the certificate

• Step1 would be enabling the roles of ADCS from server manager --->Manage --->ADCS 
• Once the ADCS is enabled , Go to tools and certificate authorities and create a certificate for a common name , I prefer using the Comman name as ldapstest.com (you can use as you prefer)
• After successful creation we will be seeing two certificates in our servers trust store
• From the start--> go to manage certificates 

• Export the root certificate without the private key by clicking on the certificate-->All tasks-->Export , The menu prompts you if you need the private key to be exported , you can say it as no and export the cert in .cer format 
• This certicate we will be using for server authentication while establishing the communication between BIGIP and the LDAP server
• Once this is done , Import this certificate on the BIGIP
• Now navigate to users-->Authentication 

• Changed the port to 636 as it is default port for LDAP over SSL
• Have enabled the SSL and added the SSL CA certificate which we have imported in the last step

• Now the communication will be secured between BIGIP and LDAP server over SSL