How to: Configure LDAP Authentication policies using BIG-IP Central Manager¶
You can use LDAPS in place of LDAP when the authentication messages between the BIG-IP Next Access and the LDAP server must be secured with encryption. However, there are instances where you will not need LDAPS and the security it provides. For example, authentication traffic happens on the internal side of BIG-IP Next Access, and might not be subject to observation by unauthorized users. Another example of when not to use LDAPS is when authentication is used on separate VLANs to ensure that the traffic cannot be observed by unauthorized users.
Using BIG-IP Next Central Manager GUI¶
The following example creates a new LDAP Authentication Access policy using the BIG-IP Next Central Manager user interface.
The following example creates a new Kerberos Authentication Access policy using the BIG-IP Next Central Manager user interface.
Log in to BIG-IP Next Central Manager. Navigate to the Security canvas > Security > Access > Policies path.
To create a policy, click the Start Creating button. By default, there are no policies created. The Create Policy page opens, and the Visual Policy Designer (VPD) canvas appears.
Select the required policy type radio button. Available policy options are the Per-Session Policy and Per-Request Policy.
In The How would you like to create it? section, select whether to create a policy using the template or from scratch. Available options are Create using a policy template and Start from scratch. Users are recommended to select Create using a policy template option to quickly access the policy.
In the Policy Templates section, select the required policy template. Available options are Logon Page with Active Directory Query and SAML as a Service Provider. When the Logon Page with Active Directory Query is selected, this policy template includes a Logon Page and Active Directory rules for Authentication and Authorization purposes. When the SAML as a Service Provider is selected, this policy template includes SAML Federation and Variable Assign rules to configure for a SAML Service Provider setup.
Click Next. Based on the selection of the policy type, the applicable policy configurations are displayed.
On the General Properties tab, enter a Policy Name for the policy.
Scroll through the remaining properties and revise any value that you want to change from its default setting.
Click Continue. The Session Properties tab of the respective policy page appears.
On the Session Properties tab, scroll through the properties and revise any value that you want to change from its default setting.
Click Continue. The Logging tab of the respective policy page appears.
On the Logging tab, scroll through the properties and revise any value that you want to change from its default setting.
Click Continue. The Single Sign-On tab of the respective policy page appears.
The Single Sign-On (SSO) provides seamless access to the applications protected through BIG-IP Next Access. This allows administrators to use more modern authentication techniques, such as SAML or OAuth, and translate it to something the back-end application supports, such as Kerberos or Forms.
On the Single Sign-On tab, click Start Creating to select the required authentication type. Available options are Forms, Forms Client-Initiated, HTTP Basic, Kerberos, and OAuth Bearer. When one of the authentication types is selected, its respective configuration page appears. Fill in the required values in the given fields and save the configuration.
Refer to Single Sign-On methods for more information.Click Continue. The Endpoint Security tab of the respective policy page appears.
On the Endpoint Security tab, choose the applicable version from its default setting.
Click Continue. The Resources tab of the respective policy page appears.
The Resources extend BIG-IP Next Access with additional capabilities such as Network Access, Access Control, Identity Providers, and Webtops.
On the Resources tab, click Start Creating to select the required resource. Available options are Access Control List, Network Access, Webtop, and Webtop Section.
Click Continue. The Connectivity tab of the respective policy page appears.
On the Connectivity tab, scroll through the properties and revise any value that you want to change from its default setting.
Click Continue. The Policy Endings tab of the respective policy page appears.
On the Policy Endings tab, scroll through the properties and revise any value that you want to change from its default setting.
Click Finish. A required access policy is created.
The VPD canvas opens.Drag an empty flow into the VPD canvas.
On the empty flow, click the
icon.
The flow expands so you can edit it.On the VPD side bar, click the
icon, and then drag the LDAP Authentication rule onto the empty flow.Hover the cursor over the LDAP Authentication rule and then click the
icon.
The Rule Properties tab of the Rule Configuration page opens.Specify Rule Properties for the policy.
For Name, type the name for the rule.
Under Server, click Start Creating.
The Server Properties page opens to the Server Properties tab.For Name, type the name for the LDAP server.
For Base Search DN specify the base DN from which to search. This search DN is used to search groups across a whole directory.
For Admin DN, specify the Distinguished Name (DN) of the user with administrator rights. This is a required setting.
For Admin Password, specify the admin password for the LDAP server and then type it again in the Verify Admin Password field.
For Timeout, specify a timeout interval (in seconds) for the AAA server after which the server closes a connection. The default value is 15.
For Group Cache Lifetime, specify a lifetime for the group cache in days. The default value is 30.
For LDAPs, specify, whether to use the LDAP protocol during authentication. The default value is No. When set to Yes, you must also specify the TLS Cipher String.
Click Continue.
The Schema Properties page opens to the Server Properties tab.For User Object Class, specify the value of the objectClass attribute for a user object. The default value is user.
For User Membership, if the user object maintains a group membership, specify the value of the membership attribute. The default value is memberOf.
For Group Object Class, specify the value of the objectClass attribute for a group object. The default value is group.
For Group Membership, if the group object maintains membership in other groups, specify the value of the membership attribute. The default value is memberOf.
For Group Member, if the group object maintains a list of users that belong to it, specify the value of its attribute. The default value is member.
For Group Member Value, if the Group Member attribute is specified, use this field to specify the attribute that is used to add users to a group. The default value is dn.
Click Finish to save the LDAP server settings and return to the Rule Properties tab.
For Search DN, specify the base domain name that BIG-IP Next Access uses for internal LDAP search operations. You must use this object with the filter object. For example, session.ssl.cert.last.cn - uses the user CN from the SSL certificate. Useful as a value for any property in this table.
For Search Filter, specify the search criteria to use when querying the LDAP server for the user’s information. When entering a string, use parenthesis. For example,
(sAmAccountName=%{session.logon.last.username}) or (sAmAccountName=%{subsession.logon.last.username})populates the filter parameter with the username from the current session.For User DN, specify the full identifier of a user within the LDAP directory, along with the associated password.
For Show Extended Error, specify whether to display a comprehensive error message generated by the authentication server to show on the user’s Logon page. The default value is false. Setting the value to false displays non-comprehensive error messages generated by the authentication server to show on the user’s Logon page.
Note: This setting is intended only for use in testing in a production or debugging environment. If you enable this setting in a live environment, your system might be vulnerable to malicious attacks.
For Max Logon Attempts Allowed, specify the number of user authentication logon attempts to allow. Select a number to limit the number of times the user can enter credentials through the logon screen when authentication fails. A complete logon and password challenge and response is considered as one attempt. The default value is 3.
Click Continue.
The Branches tab of the Rule Configurations page opens.
Under Branches, click Create.
The Branches page opens.Under Expression, select a Context, a Condition and a Result for this branch.
Add any (optional) AND or OR branches needed for the policy, and then click Save & Finish.
On the Branches tab of the Rule Configuration page, click Finish.
The VPD canvas displays the revised policy.Review the policy in the VPD canvas; then click Save to finish creating the policy.
BIG-IP Next Central Manager adds the policy to the Access Policies list.
Using BIG-IP Next Central Manager API¶
The following example creates a new LDAP Authentication Access policy using the BIG-IP Next Central Manager application programming interface (API).
Authenticate with the BIG-IP Next Central Manager API. For details refer to How to: Authenticate with the BIG-IP Next Central Manager API.
Create the policy by sending a Post to the
/api/v1/spaces/default/security/access-policiesendpoint.POST https://<big-ip_next_cm_mgmt_ip>/api/v1/spaces/default/security/access-policiesFor the API body, use the following, substituting values appropriate for the policy you want to create.
{ "description": "", "name": "ldap_auth", "policy_type": "PerSession", "properties": [ { "configuration": { "policyType": "PerSession", "name": "ldap_auth", "externalServers": [ { "ldapSchemaAttrs": { "userObjectClass": "user", "userMemberof": "memberOf", "groupObjectClass": "group", "groupMemberof": "memberOf", "groupMemberValue": "dn", "groupMember": "member" }, "timeout": 15, "name": "LDAP-Server-44f3a508", "isLdaps": false, "groupCacheTtl": 30, "baseDn": "", "adminPassword": "LDAP_ADMIN", "adminDn": "LDAP_ADMIN", "serverType": "Ldap" } ], "policy": { "objectContent": { "macros": [ { "name": "Empty84bb2315", "start": { "itemType": "aaa-ldap", "ruleType": "aaa-ldap", "ruleId": "Ldap-Auth-5467170b", "name": "LDAP-Authentication-2e395334", "nextItems": [ { "caption": "Allow", "itemType": "terminal-out", "name": "Allow", "expression": "expr {[mcget {session.ldap.last.authresult}] == 1}" }, { "itemType": "terminal-out", "name": "Deny", "caption": "Fallback" } ], "caption": "Fallback", "showExtendedError": true, "server": "LDAP-Server-44f3a508", "maxLogonAttempt": 3, "filter": "sAmAccountName=%{session.logon.last.username}", "type": "auth", "isValid": true }, "endings": [ { "name": "Deny", "color": "#D9647A", "default": true }, { "name": "Allow", "color": "#199D4D" } ] } ], "start": { "itemType": "macro-call", "name": "LDAPrule", "macro": "Empty84bb2315", "caption": "Fallback", "nextItems": [ { "itemType": "deny", "name": "Deny", "caption": "Deny" }, { "itemType": "allow", "name": "Allow", "caption": "Allow" } ] }, "endings": [ { "name": "Deny", "action": "deny", "color": "#D9647A", "default": true }, { "name": "Allow", "action": "allow", "color": "#199D4D", "default": false } ], "languages": [ "en" ], "defaultLanguage": "en" } }, "scope": "profile", "profileType": "all", "userIdentityMethod": "http", "connectivityAccessPolicyName": "ldap_auth_cap", "timeout": 300, "inactivityTimeout": 900, "maxSessionTimeout": 604800, "maxConcurrentUsers": 0, "maxConcurrentSessions": 0, "maxInProgressSessions": 128, "minFailureDelay": 2, "maxFailureDelay": 5, "domainCookie": "", "secureCookie": false, "persistentCookie": false, "httpOnlyCookie": false, "restrictToSingleClientIP": false, "useHttp503OnError": false, "logoutUriTimeout": 5, "samesiteCookie": false, "samesiteCookieAttrValue": "strict" }, "connectivityProfileConfiguration": { "compressBufferSize": 4096, "compressGzipLevel": 6, "compressGzipMemlevel": 8192, "compressGzipWindowsize": 16384, "compressCpusaver": true, "compressCpusaverHigh": 90, "compressCpusaverLow": 75, "compressionAdaptive": true, "compressionDeflateLevel": 1, "compressionCodecs": [], "pppTunnel": { "profilePpp": {} }, "clientPolicy": { "ecSaveServersOnExit": true, "ecReuseWinlogonSession": false, "ecReuseWinlogonCreds": false, "ecRunLogoffScript": false, "ecWarnBeforeScriptLaunch": true, "ecSavePasswordMethod": "none", "ecSavePasswordTimeout": 240, "ecComponentUpdate": "yes", "serverList": [], "ecLocationDnsList": [], "androidEcRequireDeviceAuth": false, "androidEcSavePasswordMethod": "disk", "androidEcSavePasswordTimeout": 240, "iosEcRequireDeviceAuth": false, "iosEcSavePasswordMethod": "disk", "iosEcSavePasswordTimeout": 240, "macosEcSavePasswordMethod": "disk", "macosEcSavePasswordTimeout": 240, "chromeosEcSavePasswordMethod": "disk", "chromeosEcSavePasswordTimeout": 240, "chromeosEcLogonMethod": "native", "macosEcLogonMethod": "native", "name": "ldap_auth_cap_clientPolicy" }, "name": "ldap_auth_cap", "policyType": "ConnectivityAccessPolicy" }, "loggingConfiguration": [ { "component": "apmd", "level": "NOTICE" }, { "component": "tmm", "level": "NOTICE" }, { "component": "websso", "level": "NOTICE" }, { "component": "renderer", "level": "NOTICE" } ] } ] }
BIG-IP Next Central Manager creates the policy specified by the parameter values used in the body of your POST.
Important: To fully configure this policy, attach this rule to an application. After attaching to an application, make sure to configure the External or AAA servers as well for LDAP Authentication. For additional details about managing an application, refer to How to: Manage applications using BIG-IP Next Central Manager and FAST templates.