auth ldapΒΆ

auth ldap(1)		      BIG-IP TMSH Manual		  auth ldap(1)



NAME
       ldap - Configures an LDAP configuration object for implementing remote
       LDAP-based authentication of BIG-IP(r) system users.

MODULE
       auth

SYNTAX
       Configure the ldap component within the auth module using the syntax
       shown in the following sections.

   CREATE/MODIFY
	create ldap [name]
	modify ldap [name]
	  options:
	    bind-dn [ [account dn] | none]
	    bind-pw [none | [password] ]
	    bind-timeout [integer]
	    check-host-attr [disabled | enabled]
	    check-roles-group [disabled | enabled]
	    debug [disabled | enabled]
	    description [string]
	    filter [ [filter name] | none]
	    group-dn [ [group dn] | none]
	    group-member-attr [ [attribute] | none]
	    idle-timeout [integer]
	    ignore-auth-info-unavail [no | yes]
	    ignore-unknown-user [disabled | enabled]
	    login-attribute [ [account name] | none]
	    port [ [name] | [integer]]
	    scope [base | one | sub]
	    search-base-dn [[search base dn] | none]
	    search-timeout [integer]
	    servers [add | delete | replace-all-with] {
		[ [ip address] | [server name] ...] }
	    servers none
	    ssl [disabled | enabled]
	    ssl-ca-cert-file [ [file name] | none)
	    ssl-check-peer [disabled | enabled]
	    ssl-ciphers [ [string] | none]
	    ssl-client-cert [ [string] | none]
	    ssl-client-key [ [string] | none]
	    user-template [ [string] | none]
	    version [integer]
	    warnings [disabled | enabled]

	edit ldap [ [ [name] | [glob] | [regex] ] ...]
	  options:
	    all-properties
	    non-default-properties

   DISPLAY
	list ldap
	list ldap [ [ [name] | [glob] | [regex] ] ...]
	show running-config ldap
	show running-config ldap [ [ [name] | [glob] | [regex] ] ...]
	  options:
	    all-properties
	    non-default-properties
	    one-line
	    partition

   DELETE
	delete ldap [name]

DESCRIPTION
       LDAP authentication is useful when the BIG-IP system users
       authentication or authorization data is stored on a remote LDAP server
       or a Microsoft(r) Windows(r) Active Directory(r) server, and you want
       the user credentials to be based on basic HTTP authentication (that is,
       user name and password).

       To authenticate BIG-IP system users when their authentication data is
       stored on a remote LDAP server, you create an LDAP configuration
       object, and then activate the object.

       The following steps describe how to configure LDAP authentication for
       BIG-IP system users:

       1. Use the ldap component in the auth module to configure an LDAP
       configuration object.

       2. To activate LDAP authentication for BIG-IP system users, run the
       command sequence modify / auth source type ldap

EXAMPLES
       create ldap bigip_ldap_auth servers add {my_ldap_server}

       Creates a configuration object named bigip_ldap_auth

       delete ldap bigip_ldap_auth

       Deletes the configuration object named bigip_ldap_auth.

OPTIONS
       bind-dn
	    Specifies the distinguished name of an account to which to bind to
	    perform searches. This search account is a Read-only account. You
	    can also use the admin account as the search account. If an
	    administrative distinguished name is not specified, then a bind is
	    not attempted. The default value is none.

	    Note that if the remote server is a Microsoft Windows Active
	    Directory server, the distinguished name must be in the form of an
	    email address.

       bind-pw
	    Specifies the password for the search account created on the LDAP
	    server. This option is required if you enter a value for the bind-
	    dn option. The default value is none.

       bind-timeout
	    Specifies a bind timeout limit, in seconds. The default value is
	    30.

       check-host-attr
	    Confirms the password for the bind distinguished name. This option
	    is optional. The default value is disabled.

       check-roles-group
	    Specifies whether to verify a user's group membership given in the
	    remote-role definitions, formatted as *member*of="group-dn". The
	    default value is disabled.

       debug
	    Enables or disables syslog-ng debugging information at the LOG
	    DEBUG level. The default value is disabled. F5 Networks does not
	    recommend using this option for normal configuration.

       description
	    User defined description.

       filter
	    Specifies a filter. Use this option for authorizing client
	    traffic. The default value is none.

       glob Displays the items that match the glob expression. See help glob
	    for a description of glob expression syntax.

       group-dn
	    Specifies the group distinguished name. The system uses this
	    option for authorizing client traffic. The default value is none.

       group-member-attribute
	    Specifies a group member attribute. The system uses this option
	    for authorizing client traffic. The default value is none.

       idle-timeout
	    Specifies the idle timeout, in seconds, for connections. The
	    default value is 3600 seconds.

       ignore-auth-info-unavail
	    Specifies whether the system ignores authentication information if
	    it is not available. The default value is no.

       ignore-unknown-user
	    Specifies whether the system ignores a user that is unknown. The
	    default value is disabled.

       login-attribute
	    Specifies a logon attribute. Normally, the value for this option
	    is uid; however, if the server is a Microsoft Windows Active
	    Directory server, the value must be the account name
	    samaccountname (not case-insensitive). The default value is none.

       name Specifies a unique name for the component. This option is required
	    for the commands create and modify.

       partition
	    Displays the administrative partition within which the component
	    resides.

       port Specifies the port number or name for the LDAP service. Port 389
	    is typically used for non-SSL and port 636 is used for an SSL-
	    enabled LDAP service. The default value is ldap.

       regex
	    Displays the items that match the regular expression. The regular
	    expression must be preceded by an at sign (@[regular expression])
	    to indicate that the identifier is a regular expression. See help
	    regex for a description of regular expression syntax.

       scope
	    Specifies the search scope. The default value is sub. The possible
	    values are:

	    base The search scope is base object. The base value is almost
		 never useful for name service lookups.

	    one  The search scope is one level.

	    sub  The search scope is a subtree.

       search-base-dn
	    Specifies the search base distinguished name. The default value is
	    none.

       search-timeout
	    Specifies the search timeout, in seconds. The default value is 30.

       servers
	    Specifies the LDAP servers that the system must use to obtain
	    authentication information. You must specify a server when you
	    create an LDAP configuration object.

       ssl  Enables or disables SSL functionality. The default is disabled.

	    Note that when you use tmsh to enable SSL for an LDAP service, the
	    system does not change the port number from 389 to 636, as is
	    required. To change the port number from the command line, use the
	    port option, for example, ldap [name] ssl enabled port 636.

       ssl-ca-cert-file
	    Specifies the name of an SSL CA certificate using the full path to
	    the file. The default value is none.

       ssl-check-peer
	    Specifies whether the system checks an SSL peer. The default value
	    is disabled.

       ssl-ciphers
	    Specifies SSL ciphers. The default value is none.

       ssl-client-cert
	    Specifies the name of an SSL client certificate. The default value
	    is none.

       ssl-client-key
	    Specifies the name of an SSL client key. The default value is
	    none.

       user-template
	    Specifies a user template for the LDAP application to use for
	    authentication. The default value is none.

       version
	    Specifies the version number of the LDAP application. The default
	    value is 3.

       warnings
	    Enables or disables warning messages. The default value is
	    enabled.

SEE ALSO
       auth user, create, delete, glob, list, modify, regex, run, show, tmsh

COPYRIGHT
       No part of this program may be reproduced or transmitted in any form or
       by any means, electronic or mechanical, including photocopying,
       recording, or information storage and retrieval systems, for any
       purpose other than the purchaser's personal use, without the express
       written permission of F5 Networks, Inc.

       F5 Networks and BIG-IP (c) Copyright 2008-2013, 2016. All rights
       reserved.



BIG-IP				  2016-03-14			  auth ldap(1)