auth cert-ldap
auth cert-ldap(1) BIG-IP TMSH Manual auth cert-ldap(1)
NAME
cert-ldap - Configures an LDAP configuration object for implementing
Single Sign On based on a valid client certificate for BIG-IP(r) system
users. The user is required to properly configure the Certificate
Authority so that unique identifying attributes appear in the
subjectName or subjectAltName fields of signed client certificates; the
OCSP responder so that it is available to the BIG-IP at the time a
client certificate is presented; and the LDAP server so that it
includes the required attributes from the client certificate and the
corresponding user name.
MODULE
auth
SYNTAX
Configure the cert-ldap component within the auth module using the
syntax shown in the following sections.
CREATE/MODIFY
create cert-ldap [name]
modify cert-ldap [name]
options:
bind-dn [ [account dn] | none]
bind-pw [none | [password] ]
bind-timeout [integer]
check-host-attr [disabled | enabled]
check-roles-group [disabled | enabled]
debug [disabled | enabled]
description [string]
filter [ [filter name] | none]
idle-timeout [integer]
ignore-auth-info-unavail [no | yes]
ignore-unknown-user [disabled | enabled]
login-attribute [ [account name] | none]
login-filter [ [string] | none]
login-name [ [ldap attribute] | none]
port [ [name] | [integer]]
scope [base | one | sub]
search-base-dn [[search base dn] | none]
search-timeout [integer]
servers [add | delete | replace-all-with] {
[ [ip address] | [server name] ...] }
servers none
ssl [disabled | enabled]
ssl-ca-cert-file [ [file name] | none)
ssl-check-peer [disabled | enabled]
ssl-ciphers [ [string] | none]
ssl-client-cert [ [string] | none]
ssl-client-key [ [string] | none]
ssl-cname-field [ subjectname-cn | san-other | san-email
san-dns | san-x400 | san-dirname | san-ediparty
san-uri | san-ipadd | san-rid ]
ssl-cname-otheroid [ [OID in dotted-decimal] | none]
sso [on | off]
version [integer]
warnings [disabled | enabled]
edit cert-ldap [ [ [name] | [glob] | [regex] ] ...]
options:
all-properties
non-default-properties
DISPLAY
list cert-ldap
list cert-ldap [ [ [name] | [glob] | [regex] ] ...]
show running-config cert-ldap
show running-config cert-ldap [ [ [name] | [glob] | [regex] ] ...]
options:
all-properties
non-default-properties
one-line
partition
DELETE
delete cert-ldap [name]
DESCRIPTION
The CERT-LDAP authentication mode is required to provide Single Sign On
capability to the control plane based on a valid client certificate.
This mode involves configuring an Apache server to initiate a client
certificate request, perform certificate validation against an OCSP
server, and then authenticate/authorize certificate credentials against
a configured remote LDAP server or a Microsoft(r) Windows(r) Active
Directory(r). The mode is not based on basic HTTP authentication (that
is, user name and password). CERT-LDAP mode is equivalent to LDAP mode
with custom attributes.
To authenticate BIG-IP system users when their authentication data is
stored on a remote LDAP server, you create an LDAP configuration
object, and then activate the object. Make sure that Apache is
configured to support the client certificate validation.
To configure CERT-LDAP authentication for BIG-IP system users:
1. Use the cert-ldap component in the auth module to configure an LDAP
configuration object.
2. To activate LDAP authentication for BIG-IP system users, run the
command sequence modify / auth source type cert-ldap
EXAMPLES
create cert-ldap bigip_cert_ldap_auth servers add {my_ldap_server}
Creates a configuration object named bigip_cert_ldap_auth.
delete cert-ldap bigip_cert_ldap_auth
Deletes the configuration object named bigip_cert_ldap_auth.
OPTIONS
bind-dn
Specifies the distinguished name of an account to which to bind to
perform searches. This search account is a Read-only account. You
can also use the admin account as the search account. If an
administrative distinguished name is not specified, then a bind is
not attempted. The default value is none.
Note: If the remote server is a Microsoft Windows Active Directory
server, the distinguished name must be in the form of an email
address.
bind-pw
Specifies the password for the search account created on the LDAP
server. This option is required if you enter a value for the bind-
dn option. The default value is none.
bind-timeout
Specifies a bind timeout limit, in seconds. The default value is
30.
check-host-attr
Confirms the password for the bind distinguished name. This option
is optional. The default value is disabled.
check-roles-group
Specifies whether to verify a user's group membership given in the
remote-role definitions, formatted as *member*of="group-dn". The
default value is disabled.
debug
Enables or disables syslog-ng debugging information at the LOG
DEBUG level. The default value is disabled. F5 Networks does not
recommend using this option for normal configuration.
description
User defined description.
filter
Specifies a filter. Use this option for authorizing client
traffic. The default value is none.
glob Displays the items that match the glob expression. See help glob
for a description of glob expression syntax.
group-dn
Specifies the group distinguished name. The system uses this
option for authorizing client traffic. The default value is none.
group-member-attribute
Specifies a group member attribute. The system uses this option
for authorizing client traffic. The default value is none.
idle-timeout
Specifies the idle timeout, in seconds, for connections. The
default value is 3600 seconds.
ignore-auth-info-unavail
Specifies whether the system ignores authentication information if
it is not available. The default value is no.
ignore-unknown-user
Specifies whether the system ignores a user that is unknown. The
default value is disabled.
login-attribute
Specifies a logon attribute. Normally, the value for this option
is uid; however, if the server is a Microsoft Windows Active
Directory server, the value must be the account name
samaccountname (not case-insensitive). The default value is none.
login-filter
Specifies the filter to be applied on the CN of the client
certificate. This filter is a regular expression to extract
required information from CN of client certificate which will be
used to match against LDAP search results. The default is
disabled.
login-name
Specifies the LDAP attribute holding the client name. (The client
name is extracted from the client certificate as specified by ssl-
cname-field.) The default is disabled.
name Specifies a unique name for the component. This option is required
for the commands create and modify.
partition
Displays the administrative partition within which the component
resides.
port Specifies the port number or name for the LDAP service. Port 389
is typically used for non-SSL and port 636 is used for an SSL-
enabled LDAP service. The default value is ldap.
regex
Displays the items that match the regular expression. The regular
expression must be preceded by an at sign (@[regular expression])
to indicate that the identifier is a regular expression. See help
regex for a description of regular expression syntax.
scope
Specifies the search scope. The default value is sub. The possible
values are:
base The search scope is base object. The base value is almost
never useful for name service lookups.
one The search scope is one level.
sub The search scope is a subtree.
search-base-dn
Specifies the search base distinguished name. The default value is
none.
search-timeout
Specifies the search timeout, in seconds. The default value is 30.
servers
Specifies the LDAP servers that the system must use to obtain
authentication information. You must specify a server when you
create an LDAP configuration object.
ssl Enables or disables SSL functionality. The default is disabled.
Note that when you use tmsh to enable SSL for an LDAP service, the
system does not change the port number from 389 to 636, as is
required. To change the port number from the command line, use the
port option, for example, ldap [name] ssl enabled port 636.
ssl-ca-cert-file
Specifies the name of an SSL CA certificate using the full path to
the file. The default value is none.
ssl-check-peer
Specifies whether the system checks an SSL peer. The default value
is disabled.
ssl-ciphers
Specifies SSL ciphers. The default value is none.
ssl-client-cert
Specifies the name of an SSL client certificate. The default value
is none.
ssl-client-key
Specifies the name of an SSL client key. The default value is
none.
ssl-cname-field
Specifies the value from the client certificate that provides the
client name. The client name must appear in either the subjectName
or subjectAltName (SAN) fields in the X.509v3 certificate. If it
appears in the subjectName field, the client name must be the
commonName (CN). If the client name appears in the SAN, it will
have the specified type. If san-other is specified, the ssl-cname-
otheroid must provide the OID of the UTF8 string containing the
client name. The choices are: subjectname-cn, san-other, san-
email, san-dns, san-x400, san-dirname, san-ediparty, san-uri, san-
ipadd, or san-rid. The default value is subjectname-cn.
ssl-cname-otheroid
Specifies the OID in dotted-decimal format of the UTF8 string in
the client's X.509v3 subjectAltName "other" attribute. This value
is required when ssl-cname-field is san-other. The default value
is none.
sso Enables or disables Single Sign On (SSO) functionality. SSO
eliminates the need to administer and maintain multiple user
logons and eliminates the need for users to enter their
credentials multiple times. When SSO is disabled, the user will be
prompted to authenticate into the BIG-IP. The default is off.
user-template
Specifies a user template for the LDAP application to use for
authentication. The default value is none.
version
Specifies the version number of the LDAP application. The default
value is 3.
warnings
Enables or disables warning messages. The default value is
enabled.
SEE ALSO
auth user, create, delete, glob, list, modify, regex, run, show, tmsh
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or
by any means, electronic or mechanical, including photocopying,
recording, or information storage and retrieval systems, for any
purpose other than the purchaser's personal use, without the express
written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2008-2016. All rights reserved.
BIG-IP 2016-03-14 auth cert-ldap(1)