APIRef_tm_auth_cert-ldap

mgmt/tm/auth/cert-ldap

/tm/auth

CERT-LDAP configuration for Single Sign On, a client certificate based authentication

REST Endpoints

Collection URI
/mgmt/tm/auth/cert-ldap
Collection Methods
OPTIONS, GET
Resource URI
/mgmt/tm/auth/cert-ldap/~resource id
Resource Methods
OPTIONS, GET, PUT, PATCH, DELETE, POST
Resource Natural Key
name, partition, subPath

Properties

Name Type Default Value Required Access Description
appService string   optional read/write  
bindDn string   optional read/write Specifies the distinguished name (DN) of an account to which to bind, in order to perform searches. This search account is a read-only account used to do searches. The admin account can be used as the search account. If no admin DN is specified, then no bind is attempted. This option is only required when a site does not allow anonymous searches. If the remote server is a Microsoft Windows Active Directory server, the distinguished name must be in the form of an email address.
bindPw string   optional read/write Specifies the password for the search account created on the LDAP server. This option is required if you use a bind distinguished name (DN).
bindTimeout integer 30 optional read/write Specifies a bind timeout limit, in seconds. The default value is 30 seconds.
checkHostAttr string disabled optional read/write Confirms the password for the bind distinguished name. This option is optional. The default value is disabled.
checkRolesGroup string disabled optional read/write Specifies whether to verify a user’s group membership given in the remote-role definitions, formatted as “*member*of=<group-dn>”.
debug string disabled optional read/write Enables or disables syslog-ng debugging information at LOG DEBUG level. The default value is disabled. F5 Networks does not recommend using this option for a normal configuration.
description string   optional read/write User defined description.
filter string   optional read/write Specifies a filter. Use this option for authorizing client traffic.
idleTimeout integer 3600 optional read/write Specifies the idle timeout, in seconds, for connections. The default value is 3600 seconds.
ignoreAuthInfoUnavail string no optional read/write Specifies whether the system ignores authentication information if it is not available. The default value is disabled.
ignoreUnknownUser string disabled optional read/write Specifies whether the system ignores an unknown user. The default value is disabled.
loginAttribute string   optional read/write Specifies a logon attribute. Normally, the value of this option is uid; however, if the server is a Microsoft Windows Active Directory server, the value must be the account name samaccountname (not case-sensitive).
loginFilter string   optional read/write Specifies the filter to be applied on the CN of the client certificate. This filter is a regular expression to extract required information from CN of client certificate which will be used to match against ldap search results. The default is disabled.
loginName string   optional read/write Specifies the LDAP attribute to be used as a login name.
tmPartition string Common optional read/write Displays the partition within which the server resides.
port integer 389 optional read/write Specifies the port name or number for the LDAP service. Port 389 is typically used for non-SSL and port 636 is used for an SSL-enabled LDAP service.
scope string sub optional read/write Specifies the search scope. The default value is sub.
searchBaseDn string   optional read/write Specifies the search base distinguished name. The default value is none.
searchTimeout integer 30 optional read/write Specifies the search timeout, in seconds. The default value is 30 seconds.
servers string   required read/write Specifies the LDAP servers that the system must use to obtain authentication information. You must specify a server when you create an cert-ldap configuration object.
ssl string disabled optional read/write Enables or disables SSL. The default value is disabled. Note that when you use the command line interface to enable SSL for an LDAP service, the system does not change the service port number from 389 to 636, as is required. To change the port number from the command line, use the service option for this component, for example, cert-ldap name ssl enabled service 636.
sslCaCertFile string   optional read/write Specifies the name of an SSL CA certificate. The default value is none.
sslCheckPeer string disabled optional read/write Specifies that the system checks an SSL peer. The default value is disabled.
sslCiphers string   optional read/write Specifies SSL ciphers.The default value is none.
sslClientCert string   optional read/write Specifies the name of a SSL client certificate. The default value is none.
sslClientKey string   optional read/write Specifies the name of a SSL client key. The default value is none.
sslCnameField string subjectname-cn optional read/write Specifies the value from the client certificate that provides the client name. The default value is subjectname-cn.
sslCnameOtheroid string   optional read/write Specifies the OID in dotted-decimal format of the otherName attribute of the generalName type of subjectAltName, when ssl-cname-field is san-other. The default value is none.
sso string off optional read/write Enables or Disables the Single Sign On (SSO) feature. SSO disabled implies that the user will be prompted to authenticate into the BIG-IP.
version integer 3 optional read/write Specifies the version number of the ldap application. The default value is 3.
warnings string enabled optional read/write Enables or disables warning messages. The default value is enabled.
Copyright (c) 2016, F5 Networks Inc. All Rights Reserved.

The BIG-IP API Reference documentation contains community-contributed content. F5 does not monitor or control community code contributions. We make no guarantees or warranties regarding the available code, and it may contain errors, defects, bugs, inaccuracies, or security vulnerabilities. Your access to and use of any code available in the BIG-IP API reference guides is solely at your own risk.