ltm auth ssl-cc-ldap
ltm auth ssl-cc-ldap(1) BIG-IP TMSH Manual ltm auth ssl-cc-ldap(1)
NAME
ssl-cc-ldap - Configures an SSL client certificate configuration object
for remote SSL-based LDAP authorization for client traffic passing
through the traffic management system.
MODULE
ltm auth
SYNTAX
Configure the ssl-cc-ldap component within the ltm auth module using
the syntax shown in the following sections.
CREATE/MODIFY
create ssl-cc-ldap [name]
modify ssl-cc-ldap [name]
options:
admin-dn [ [name] | none]
admin-password [none | [password] ]
cache-size [integer]
cache-timeout [integer]
certmap-base [none | [search base] ]
certmap-key [ [name] | none)
certmap-user-serial [no | yes]
description [string]
group-base [none | [search base] ]
group-key [ [name] | none]
group-member-key [[name] | none]
role-key [ [name] | none]
search-type [cert | certmap | user]
secure [no | yes]
servers
[add | delete | none | replace-all-with] {
[ip address ... ]
}
user-base [none | [search base] ]
user-class [ [class] | none]
user-key [ [key] | none]
valid-groups
[add | delete | replace-all-with] {
[group ... ]
}
valid-groups none
valid-roles
[add | delete | replace-all-with] {
[role ... ]
}
valid-roles none
edit ssl-cc-ldap [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
DISPLAY
list ssl-cc-ldap
list ssl-cc-ldap [ [ [name] | [glob] | [regex] ] ... ]
show running-config ssl-cc-ldap
show running-config ssl-cc-ldap
[ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
one-line
partition
DELETE
delete ssl-cc-ldap [name]
DESCRIPTION
You can use the ssl-cc-ldap component to configure SSL client
certificate-based remote LDAP authorization for client traffic passing
through the traffic management system.
To configure this type of authentication module and create a
configuration object:
1. Use the ssl-cc-ldap component in the ltm auth module to create an
SSL client certificate LDAP configuration object.
2. Use the profile component in the ltm auth module to create an
authentication profile in which you specify the following options:
a. For the configuration option, specify the configuration object
that you created in Step 1.
b. For the defaults-from option, specify a parent profile (either
the default profile named ssl_cc_ldap or another custom profile
that you created).
OPTIONS
admin-dn
Specifies the distinguished name of an account to which to bind to
perform searches. This search account is a read-only account used
to do searches. The admin account can also be used as the search
account. If no admin DN is specified, then no bind is attempted.
This option is required only when an LDAP database does not allow
anonymous searches. The default value is none.
admin-password
Specifies the password for the admin account. See admin-dn above.
The default value is none.
cache-size
Specifies the maximum size, in bytes, allowed for the SSL session
cache. Setting this option to 0 (zero) disallows SSL session
caching. The default value is 20000 bytes (20KB).
cache-timeout
Specifies the number of usable lifetime seconds of negotiable SSL
session IDs. When this time expires, a client must negotiate a new
session. The default value is 300 seconds.
certmap-base
Specifies the search base for the subtree used by the certmap
search method. A typical search base is:
ou=people,dc=company,dc=com. The default value is none.
certmap-key
Specifies the name of the certificate map that the certmap search
method uses. This name is found in the LDAP database. The default
value is none.
certmap-user-serial
Specifies whether the system uses the client certificate's subject
or serial number (in conjunction with the certificate's issuer)
when trying to match an entry in the certificate map subtree.
A value of yes uses the serial number. A value of no uses the
subject. The default value is no.
description
User defined description.
glob Displays the items that match the glob expression. See help glob
for a description of glob expression syntax.
group-base
Specifies the search base for the subtree used by group searches.
Use this option only when specifying the valid-groups option. The
typical search base is similar to: ou=groups,dc=company,dc=com.
The default value is none.
group-key
Specifies the name of the attribute in the LDAP database that
specifies the group name in the group subtree. An example of a
typical key is cn (common name for the group). The default value
is none.
group-member-key
Specifies the name of the attribute in the LDAP database that
specifies members (DNs) of a group. A typical key is member. The
default value is none.
name Specifies a unique name for the component. This option is required
for the commands create, delete, and modify.
partition
Displays the administrative partition within which the component
resides.
regex
Displays the items that match the regular expression. The regular
expression must be preceded by an at sign (@[regular expression])
to indicate that the identifier is a regular expression. See help
regex for a description of regular expression syntax.
role-key
Specifies the name of the attribute in the LDAP database that
specifies a user's authorization roles. Use this option only when
specifying the valid-roles option. A typical role key is
authorizationRole. The default value is none.
search
Specifies the type of LDAP search that is performed based on the
client's certificate. Possible values are:
cert Searches for the exact certificate.
certmap
Searches for a user by matching the certificate issuer and
the certificate serial number or certificate.
user Searches for a user based on the common name found in the
certificate. This is the default value.
secure
Specifies whether the system attempts to use secure LDAP (LDAP
over SSL). The alternative to using secure LDAP is to use insecure
(clear text) LDAP. Secure LDAP is a consideration when the
connection between the BIG-IP system and the LDAP server cannot be
trusted. The default value is no.
servers
Specifies a list of LDAP servers you want to search. You must
specify a server when you create an SSL client certificate
configuration object.
user-base
Specifies the search base for the subtree used when you select for
the search option either of the values user or cert. A typical
search base is: ou=people,dc=company,dc=com. You must specify a
user base when you create an SSL client certificate configuration
object. The default value is none.
user-class
Specifies the object class in the LDAP database to which the user
must belong to be authenticated. The default value is none.
user-key
Specifies the key that denotes a user ID in the LDAP database (for
example, the common key for the user option is uid). You must
specify a user key when you create an SSL client certificate
configuration object.
valid-groups
Specifies a space-delimited list of the names of groups to which
the client must belong in order to be authorized (matches against
the group key in the group subtree). The client needs to be a
member of only one of the groups in the list. The default value is
none.
valid-roles
Specifies a space-delimited list of the valid roles that clients
must have to be authorized. The default value is none.
SEE ALSO
create, delete, edit, glob, list, ltm auth profile, ltm virtual,
modify, regex, show, tmsh
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or
by any means, electronic or mechanical, including photocopying,
recording, or information storage and retrieval systems, for any
purpose other than the purchaser's personal use, without the express
written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2008-2013, 2015. All rights
reserved.
BIG-IP 2015-07-22 ltm auth ssl-cc-ldap(1)