ltm auth ldap
ltm auth ldap(1) BIG-IP TMSH Manual ltm auth ldap(1)
NAME
ldap - Configures an LDAP configuration object for implementing remote
LDAP-based client authentication.
MODULE
ltm auth
SYNTAX
Configure the ldap component within the ltm auth module using the
syntax shown in the following sections.
CREATE/MODIFY
create ldap [name]
modify ldap [name]
options:
bind-dn [ [account dn] | none]
bind-pw [ [string] | none]
bind-timeout [integer]
check-host-attr [disabled | enabled]
debug [disabled | enabled]
description [string]
filter [ [string] | none]
group-dn [ [group dn] | none]
group-member-attr [ [string] | none]
idle-timeout [integer]
ignore-auth-info-unavail [no | yes]
ignore-unknown-user [disabled | enabled]
login-attribute [ [account name] | none]
port [ [name] | [integer]]
scope [base | one | sub]
search-base-dn [ [search base dn] | none]
search-timeout [number]
servers
[add | delete | replace-all-with] {
[ip address ... ]
}
servers none
ssl [disabled | enabled]
ssl-ca-cert-file [ [name] | none)
ssl-check-peer [disabled | enabled]
ssl-ciphers [ [string] | none]
ssl-client-cert [ [string] | none]
ssl-client-key [ [string] | none]
user-template [ [string] | none]
version [number]
warnings [disabled | enabled]
edit ldap [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
DISPLAY
list ldap
list ldap [ [ [name] | [glob] | [regex] ] ... ]
show running-config ldap
show running-config ldap [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
one-line
partition
DELETE
delete ldap [name]
DESCRIPTION
LDAP authentication is a mechanism for authenticating or authorizing
client connections passing through the system. LDAP authentication is
useful when your authentication or authorization data is stored on a
remote LDAP server or a Microsoft(r) Windows Active Directory(r)
server, and you want the client credentials to be based on basic HTTP
authentication (that is, user name and password).
To configure an LDAP authentication module and create an LDAP
configuration object:
1. Use the ldap component in the ltm auth module to create an LDAP
configuration object.
2. Use the profile component, in the ltm auth module, to create an
authentication profile in which you specify the following options:
a. For the configuration option, specify the LDAP configuration
object that you created in Step 1.
b. For the defaults-from option, specify a parent profile (either
the default LDAP profile named ldap or another custom profile that
you created).
EXAMPLES
create ldap my_auth_ldap servers add {my_ldap_auth_server}
Creates a configuration object named my_auth_ldap
delete ldap my_auth_ldap
Deletes the configuration object named my_auth_ldap.
OPTIONS
bind-dn
Specifies the distinguished name of an account to which to bind,
to perform searches. This search account is a Read-only account
used to do searches. You can use the admin account as the search
account. If no admin DN is specified, then no bind is attempted.
The default value is none.
This option is required only when a site does not allow anonymous
searches. If the remote server is a Microsoft(r) Windows(r) Active
Directory(r) server, the distinguished name must be in the form of
an email address.
bind-pw
Specifies the password for the search account created on the LDAP
server. This option is required if you specify a value for the
bind-dn option. The default value is none.
bind-timeout
Specifies a bind timeout limit. The default value is 30 seconds.
check-host-attr
Confirms the password for the bind distinguished name. This option
is optional. The default value is disabled.
debug
Enables or disables syslog-ng debugging information at LOG DEBUG
level. The default value is disabled. F5 Networks does not
recommend using this option for normal configuration.
description
User defined description.
filter
Specifies a filter. Use this option for authorizing client
traffic. The default value is none.
glob Displays the items that match the glob expression. See help glob
for a description of glob expression syntax.
group-dn
Specifies the group distinguished name. The system uses this
option for authorizing client traffic. The default value is none.
group-member-attribute
Specifies a group member attribute. The system uses this option
for authorizing client traffic. The default value is none.
idle-timeout
Specifies the idle timeout, in seconds, for connections. The
default value is 3600 seconds.
ignore-auth-info-unavail
Specifies whether the system ignores authentication information,
if it is not available. The default value is no.
ignore-unknown-user
Specifies whether the system ignores a user that is unknown. The
default value is disabled.
login-attribute
Specifies a logon attribute. Normally, the value for this option
is uid; however, if the server is a Microsoft Windows Active
Directory server, the value must be the account name
samaccountname (not case-sensitive). The default value is none.
name Specifies a unique name for the component. This option is required
for the commands create, delete, and modify.
partition
Displays the administrative partition within which the component
resides.
port Specifies the port number or name for the LDAP service. Port 389
is typically used for non-SSL and port 636 is used for an SSL-
enabled LDAP service. The default value is ldap.
regex
Displays the items that match the regular expression. The regular
expression must be preceded by an at sign (@[regular expression])
to indicate that the identifier is a regular expression. See help
regex for a description of regular expression syntax.
scope
Specifies the search scope. The default value is sub. The options
are:
base Specifies the search scope is base object. The base value is
almost never useful for nameservice lookups.
one Specifies the search scope is one level.
sub Specifies the search scope is subtree.
search-base-dn
Specifies the search base distinguished name. The default value is
none.
search-timeout
Specifies the search timeout. The default value is 30 seconds.
servers
Specifies the LDAP servers that the system must use to obtain
authentication information. You must specify a server when you
create an LDAP configuration object.
ssl Enables or disables SSL functionality. The default is disabled.
Note that when you use the command line interface to enable SSL
for an LDAP service, the system does not change the service port
number from 389 to 636, as is required. To change the port number
from the command line, use the service option of this command (see
above), for example, ldap [name] ssl enabled service 636.
ssl-ca-cert-file
Specifies the name of an SSL CA certificate using the full path to
the file. The default value is none.
ssl-check-peer
Specifies whether the system checks an SSL peer. The default value
is disabled.
ssl-ciphers
Specifies SSL ciphers. The default value is none.
ssl-client-cert
Specifies the name of an SSL client certificate. The default value
is none.
ssl-client-key
Specifies the name of an SSL client key. The default value is
none.
user-template
Specifies a user template for the LDAP application to use for
authentication. The default value is none.
version
Specifies the version number of the LDAP application. The default
value is 3.
warnings
Enables or disables warning messages. The default value is
enabled.
SEE ALSO
create, delete, edit, glob, list, ltm auth profile, ltm virtual,
modify, regex, reset-stats, show, tmsh
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or
by any means, electronic or mechanical, including photocopying,
recording, or information storage and retrieval systems, for any
purpose other than the purchaser's personal use, without the express
written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2008-2013, 2016. All rights
reserved.
BIG-IP 2016-03-14 ltm auth ldap(1)