APIRef_tm_auth_cert-ldap¶
mgmt/tm/auth/cert-ldap
CERT-LDAP configuration for Single Sign On, a client certificate based authentication
REST Endpoints
- Collection URI
/mgmt/tm/auth/cert-ldap
- Collection Methods
OPTIONS, GET
- Resource URI
/mgmt/tm/auth/cert-ldap/~resource id
- Resource Methods
OPTIONS, GET, PUT, PATCH, DELETE, POST
- Resource Natural Key
name, partition, subPath
Properties
Name | Type | Default Value | Required | Access | Description |
---|---|---|---|---|---|
appService |
string | optional | read/write | ||
bindDn |
string | optional | read/write | Specifies the distinguished name (DN) of an account to which to bind, in order to perform searches. This search account is a read-only account used to do searches. The admin account can be used as the search account. If no admin DN is specified, then no bind is attempted. This option is only required when a site does not allow anonymous searches. If the remote server is a Microsoft Windows Active Directory server, the distinguished name must be in the form of an email address. | |
bindPw |
string | optional | read/write | Specifies the password for the search account created on the LDAP server. This option is required if you use a bind distinguished name (DN). | |
bindTimeout |
integer | 30 | optional | read/write | Specifies a bind timeout limit, in seconds. The default value is 30 seconds. |
checkHostAttr |
string | disabled | optional | read/write | Confirms the password for the bind distinguished name. This option is optional. The default value is disabled. |
checkRolesGroup |
string | disabled | optional | read/write | Specifies whether to verify a user’s group membership given in the remote-role definitions, formatted as “*member*of=<group-dn>”. |
debug |
string | disabled | optional | read/write | Enables or disables syslog-ng debugging information at LOG DEBUG level. The default value is disabled. F5 Networks does not recommend using this option for a normal configuration. |
description |
string | optional | read/write | User defined description. | |
filter |
string | optional | read/write | Specifies a filter. Use this option for authorizing client traffic. | |
idleTimeout |
integer | 3600 | optional | read/write | Specifies the idle timeout, in seconds, for connections. The default value is 3600 seconds. |
ignoreAuthInfoUnavail |
string | no | optional | read/write | Specifies whether the system ignores authentication information if it is not available. The default value is disabled. |
ignoreUnknownUser |
string | disabled | optional | read/write | Specifies whether the system ignores an unknown user. The default value is disabled. |
loginAttribute |
string | optional | read/write | Specifies a logon attribute. Normally, the value of this option is uid; however, if the server is a Microsoft Windows Active Directory server, the value must be the account name samaccountname (not case-sensitive). | |
loginFilter |
string | optional | read/write | Specifies the filter to be applied on the CN of the client certificate. This filter is a regular expression to extract required information from CN of client certificate which will be used to match against ldap search results. The default is disabled. | |
loginName |
string | optional | read/write | Specifies the LDAP attribute to be used as a login name. | |
tmPartition |
string | Common | optional | read/write | Displays the partition within which the server resides. |
port |
integer | 389 | optional | read/write | Specifies the port name or number for the LDAP service. Port 389 is typically used for non-SSL and port 636 is used for an SSL-enabled LDAP service. |
scope |
string | sub | optional | read/write | Specifies the search scope. The default value is sub. |
searchBaseDn |
string | optional | read/write | Specifies the search base distinguished name. The default value is none. | |
searchTimeout |
integer | 30 | optional | read/write | Specifies the search timeout, in seconds. The default value is 30 seconds. |
servers |
string | required | read/write | Specifies the LDAP servers that the system must use to obtain authentication information. You must specify a server when you create an cert-ldap configuration object. | |
ssl |
string | disabled | optional | read/write | Enables or disables SSL. The default value is disabled. Note that when you use the command line interface to enable SSL for an LDAP service, the system does not change the service port number from 389 to 636, as is required. To change the port number from the command line, use the service option for this component, for example, cert-ldap name ssl enabled service 636. |
sslCaCertFile |
string | optional | read/write | Specifies the name of an SSL CA certificate. The default value is none. | |
sslCheckPeer |
string | disabled | optional | read/write | Specifies that the system checks an SSL peer. The default value is disabled. |
sslCiphers |
string | optional | read/write | Specifies SSL ciphers.The default value is none. | |
sslClientCert |
string | optional | read/write | Specifies the name of a SSL client certificate. The default value is none. | |
sslClientKey |
string | optional | read/write | Specifies the name of a SSL client key. The default value is none. | |
sslCnameField |
string | subjectname-cn | optional | read/write | Specifies the value from the client certificate that provides the client name. The default value is subjectname-cn. |
sslCnameOtheroid |
string | optional | read/write | Specifies the OID in dotted-decimal format of the otherName attribute of the generalName type of subjectAltName, when ssl-cname-field is san-other. The default value is none. | |
sso |
string | off | optional | read/write | Enables or Disables the Single Sign On (SSO) feature. SSO disabled implies that the user will be prompted to authenticate into the BIG-IP. |
version |
integer | 3 | optional | read/write | Specifies the version number of the ldap application. The default value is 3. |
warnings |
string | enabled | optional | read/write | Enables or disables warning messages. The default value is enabled. |
Copyright (c) 2016, F5 Networks Inc. All Rights Reserved.
The BIG-IP API Reference documentation contains community-contributed content. F5 does not monitor or control community code contributions. We make no guarantees or warranties regarding the available code, and it may contain errors, defects, bugs, inaccuracies, or security vulnerabilities. Your access to and use of any code available in the BIG-IP API reference guides is solely at your own risk.