apm policy agent aaa-ldap
apm policy agent aaa-ldap(1) BIG-IP TMSH Manual apm policy agent aaa-ldap(1)
NAME
aaa-ldap - Manages an AAA LDAP(r) agent.
MODULE
apm policy agent
SYNTAX
Configure the aaa-ldap component within the policy agent module using
the following syntax.
CREATE/MODIFY
create aaa-ldap [name]
modify aaa-ldap [name]
options:
app-service [[string] | none]
attr-name ( | none) [add | delete]
filter [[string] | none]
group-member-scope [none | direct | all]
group-membership-scope [none | direct | all]
max-logon-attempt [integer]
search-dn [[string] | none]
server [[string] | none]
show-extended-error [true | false]
type [query | auth | modify | last]
user-dn [[string] | none]
modify-type [add | modify | delete | modify-last]
ldapmod-attributes ( | none) [add | delete]
DISPLAY
list aaa-ldap
list aaa-ldap [ [ [name] | [glob] | [regex] ] ... ]
show running-config aaa-ldap
show running-config aaa-ldap [ [ [name] | [glob] | [regex] ] ... ]
options:
all
all-properties
current-module
non-default-properties
one-line
app-service
partition
DELETE
delete aaa-ldap [name]
DESCRIPTION
Use this component to create, modify, display, or delete an AAA LDAP
agent.
EXAMPLES
create aaa-ldap MyLDAPagent { user-dn
"cn=%{session.logon.last.username},cn=users,dc=lab,dc=fp,dc=com" type
auth server "companyLDAP" } aaa-ldap MyLDAPagent { search-dn
"cn=users,dc=lab,dc=fp,dc=com" filter
"(SAMAccountName=%{{session.logon.last.username})" type auth server
"companyLDAP" }
Creates the authorization type AAA LDAP agent named MyLDAPagent
that is associated with the companyLDAP server that uses the
cn=%{session.logon.last.username},cn=users,dc=lab,dc=fp,dc=f5net,dc=com
user domain name, the cn=users,dc=lab,dc=fp,dc=com search domain,
and the (SAMAccountName=%{{session.logon.last.username}) filter.
create aaa-ldap MyLDAPagent { search-dn "cn=users,dc=lab,dc=fp,dc=com"
filter "(sAMAccountName=%{{session.logon.last.username})" type query
server "companyLDAP" }
Creates the query type AAA LDAP agent named MyLDAPagent that is
associated with the companyLDAP server that uses the
cn=users,dc=lab,dc=fp,dc=com search domain and the
(SAMAccountName=%{{session.logon.last.username}) filter.
create aaa-ldap MyLDAPagent { user-dn
"cn=%{session.logon.last.username},cn=users,dc=lab,dc=fp,dc=com" type
modify modify-type add server "companyLDAP" ldapmod-attributes add {
objectClass { mod-op add mod-values add { top person
organizationalPerson user } } cn { mod-op add mod-values add { demo } }
} }
Creates the modify type AAA LDAP agent named MyLDAPagent that is
associated with the companyLDAP server that uses the
cn=%{session.logon.last.username},cn=users,dc=lab,dc=fp,dc=f5net,dc=com
user domain name, the add modify type, and the ldapmod attributes
create aaa-ldap MyLDAPagent { user-dn
"cn=%{session.logon.last.username},cn=users,dc=lab,dc=fp,dc=com" type
modify modify-type modify server "companyLDAP" ldapmod-attributes add {
givenName { mod-op replace mod-values add { demo } } } }
Creates the modify type AAA LDAP agent named MyLDAPagent that is
associated with the companyLDAP server that uses the
cn=%{session.logon.last.username},cn=users,dc=lab,dc=fp,dc=f5net,dc=com
user domain name, the modify modify type, and the ldapmod
attributes which uses givenName modify attribute replace mod
operation and the demo mod values
create aaa-ldap MyLDAPagent { user-dn
"cn=%{session.logon.last.username},cn=users,dc=lab,dc=fp,dc=com" type
modify modify-type delete server "companyLDAP" }
Creates the modify type AAA LDAP agent named MyLDAPagent that is
associated with the companyLDAP server that uses the
cn=%{session.logon.last.username},cn=users,dc=lab,dc=fp,dc=f5net,dc=com
user domain name, the delete modify type
list aaa-ldap
Displays a list of AAA LDAP agents.
delete aaa-ldap MyLDAPagent
Deletes the MyLDAPagent AAA LDAP agent.
OPTIONS
app-service
Specifies the name of the application service to which the object
belongs. The default value is none. Note: If the strict-updates
option is enabled on the application service that owns the object,
you cannot modify or delete the object. Only the application
service can modify or delete the object.
attr-name
Adds an attribute name to the agent or deletes an attribute name
from the agent.
group-member-scope
Specifies the scope of user lookup for a group. When the search
returns a group, this attribute specifies whether to also look up
the members of the group. The options are:
none No members required.
direct Only direct members required.
all All members required. This includes those that derive
membership in this group through membership in other groups and
those that are direct members.
group-membership-scope
Specifies the scope of group lookup for a user or a group. When
the search returns a user or a group, this attribute specifies
whether to also look up the groups to which this user or group
belong. The options are:
none No groups required.
direct Only the groups to which the current user or group belong
directly are required.
all All groups required. This includes the groups to which the
user or the group belong directly and the groups to which the user
or group belong indirectly (through membership in another group).
filter
Specifies the LDAP filter that APM uses when querying an AAA LDAP
server for authentication information. You must use the filter
option with the search-dn option.
max-logon-attempt
Specifies the maximum number of opportunities that users have to
re-enter credentials after their first attempt to log in fails. If
you set this value to a number from 2 to 5 inclusive, the system
allows users the specified number of opportunities to log in after
the first attempt to log in fails. If you set the value to 1, the
system does not allow a second log in opportunity after a first
log in attempt fails. The default value is 3.
[name]
Specifies the name of an AAA LDAP agent. This setting is required.
partition
Displays the partition within which the component resides.
search-dn
Specifies the base domain name that APM uses for internal LDAP
search operations. You must use the search-dn option with the
filter option.
server
Specifies the AAA LDAP server that the system uses for LDAP
queries and authentication.
show-extended-error
Specifies to display a verbose error message. The default value is
false.
type Specifies a type of AAA LDAP agent. This setting is required. The
default is last.
user-dn
Specifies the fully qualified domain name of the Access Policy
Manager. F5 Networks recommends that you specify this value in
lower case and without spaces for compatibility with some specific
LDAP servers. The specific content of this string depends on your
directory layout.
SEE ALSO
tmsh
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or
by any means, electronic or mechanical, including photocopying,
recording, or information storage and retrieval systems, for any
purpose other than the purchaser's personal use, without the express
written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2011-2014, 2016. All rights
reserved.
BIG-IP 2016-03-14 apm policy agent aaa-ldap(1)