ltm auth ssl-cc-ldap
ltm auth ssl-cc-ldap(1) BIG-IP TMSH Manual ltm auth ssl-cc-ldap(1)
NAME
ssl-cc-ldap - Configures an SSL client certificate configuration object for remote SSL-based LDAP authorization for client
traffic passing through the traffic management system.
MODULE
ltm auth
SYNTAX
Configure the ssl-cc-ldap component within the ltm auth module using the syntax shown in the following sections.
CREATE/MODIFY
create ssl-cc-ldap [name]
modify ssl-cc-ldap [name]
options:
admin-dn [ [name] | none]
admin-password [none | [password] ]
cache-size [integer]
cache-timeout [integer]
certmap-base [none | [search base] ]
certmap-key [ [name] | none)
certmap-user-serial [no | yes]
description [string]
group-base [none | [search base] ]
group-key [ [name] | none]
group-member-key [[name] | none]
role-key [ [name] | none]
search-type [cert | certmap | user]
secure [no | yes]
servers
[add | delete | none | replace-all-with] {
[ip address ... ]
}
user-base [none | [search base] ]
user-class [ [class] | none]
user-key [ [key] | none]
valid-groups
[add | delete | replace-all-with] {
[group ... ]
}
valid-groups none
valid-roles
[add | delete | replace-all-with] {
[role ... ]
}
valid-roles none
edit ssl-cc-ldap [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
DISPLAY
list ssl-cc-ldap
list ssl-cc-ldap [ [ [name] | [glob] | [regex] ] ... ]
show running-config ssl-cc-ldap
show running-config ssl-cc-ldap
[ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
one-line
partition
DELETE
delete ssl-cc-ldap [name]
DESCRIPTION
You can use the ssl-cc-ldap component to configure SSL client certificate-based remote LDAP authorization for client
traffic passing through the traffic management system.
To configure this type of authentication module and create a configuration object:
1. Use the ssl-cc-ldap component in the ltm auth module to create an SSL client certificate LDAP configuration object.
2. Use the profile component in the ltm auth module to create an authentication profile in which you specify the following
options:
a. For the configuration option, specify the configuration object that you created in Step 1.
b. For the defaults-from option, specify a parent profile (either the default profile named ssl_cc_ldap or another
custom profile that you created).
OPTIONS
admin-dn
Specifies the distinguished name of an account to which to bind to perform searches. This search account is a read-
only account used to do searches. The admin account can also be used as the search account. If no admin DN is
specified, then no bind is attempted.
This option is required only when an LDAP database does not allow anonymous searches. The default value is none.
admin-password
Specifies the password for the admin account. See admin-dn above. The default value is none.
cache-size
Specifies the maximum size, in bytes, allowed for the SSL session cache. Setting this option to 0 (zero) disallows SSL
session caching. The default value is 20000 bytes (20KB).
cache-timeout
Specifies the number of usable lifetime seconds of negotiable SSL session IDs. When this time expires, a client must
negotiate a new session. The default value is 300 seconds.
certmap-base
Specifies the search base for the subtree used by the certmap search method. A typical search base is:
ou=people,dc=company,dc=com. The default value is none.
certmap-key
Specifies the name of the certificate map that the certmap search method uses. This name is found in the LDAP
database. The default value is none.
certmap-user-serial
Specifies whether the system uses the client certificate's subject or serial number (in conjunction with the
certificate's issuer) when trying to match an entry in the certificate map subtree.
A value of yes uses the serial number. A value of no uses the subject. The default value is no.
description
User defined description.
glob Displays the items that match the glob expression. See help glob for a description of glob expression syntax.
group-base
Specifies the search base for the subtree used by group searches. Use this option only when specifying the valid-
groups option. The typical search base is similar to: ou=groups,dc=company,dc=com. The default value is none.
group-key
Specifies the name of the attribute in the LDAP database that specifies the group name in the group subtree. An
example of a typical key is cn (common name for the group). The default value is none.
group-member-key
Specifies the name of the attribute in the LDAP database that specifies members (DNs) of a group. A typical key is
member. The default value is none.
name Specifies a unique name for the component. This option is required for the commands create, delete, and modify.
partition
Displays the administrative partition within which the component resides.
regex
Displays the items that match the regular expression. The regular expression must be preceded by an at sign (@[regular
expression]) to indicate that the identifier is a regular expression. See help regex for a description of regular
expression syntax.
role-key
Specifies the name of the attribute in the LDAP database that specifies a user's authorization roles. Use this option
only when specifying the valid-roles option. A typical role key is authorizationRole. The default value is none.
search
Specifies the type of LDAP search that is performed based on the client's certificate. Possible values are:
cert Searches for the exact certificate.
certmap
Searches for a user by matching the certificate issuer and the certificate serial number or certificate.
user Searches for a user based on the common name found in the certificate. This is the default value.
secure
Specifies whether the system attempts to use secure LDAP (LDAP over SSL). The alternative to using secure LDAP is to
use insecure (clear text) LDAP. Secure LDAP is a consideration when the connection between the BIG-IP system and the
LDAP server cannot be trusted. The default value is no.
servers
Specifies a list of LDAP servers you want to search. You must specify a server when you create an SSL client
certificate configuration object.
user-base
Specifies the search base for the subtree used when you select for the search option either of the values user or
cert. A typical search base is: ou=people,dc=company,dc=com. You must specify a user base when you create an SSL
client certificate configuration object. The default value is none.
user-class
Specifies the object class in the LDAP database to which the user must belong to be authenticated. The default value
is none.
user-key
Specifies the key that denotes a user ID in the LDAP database (for example, the common key for the user option is
uid). You must specify a user key when you create an SSL client certificate configuration object.
valid-groups
Specifies a space-delimited list of the names of groups to which the client must belong in order to be authorized
(matches against the group key in the group subtree). The client needs to be a member of only one of the groups in the
list. The default value is none.
valid-roles
Specifies a space-delimited list of the valid roles that clients must have to be authorized. The default value is
none.
SEE ALSO
create, delete, edit, glob, list, ltm auth profile, ltm virtual, modify, regex, show, tmsh
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or by any means, electronic or mechanical, including
photocopying, recording, or information storage and retrieval systems, for any purpose other than the purchaser's personal
use, without the express written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2008-2013, 2015. All rights reserved.
BIG-IP 2015-07-22 ltm auth ssl-cc-ldap(1)