auth ldap
auth ldap(1) BIG-IP TMSH Manual auth ldap(1)
NAME
ldap - Configures an LDAP configuration object for implementing remote LDAP-based authentication of BIG-IP(r)
system users.
MODULE
auth
SYNTAX
Configure the ldap component within the auth module using the syntax shown in the following sections.
CREATE/MODIFY
create ldap [name]
modify ldap [name]
options:
bind-dn [ [account dn] | none]
bind-pw [none | [password] ]
bind-timeout [integer]
check-host-attr [disabled | enabled]
check-roles-group [disabled | enabled]
debug [disabled | enabled]
description [string]
filter [ [filter name] | none]
group-dn [ [group dn] | none]
group-member-attr [ [attribute] | none]
idle-timeout [integer]
ignore-auth-info-unavail [no | yes]
ignore-unknown-user [disabled | enabled]
include [string]
login-attribute [ [account name] | none]
port [ [name] | [integer]]
referrals [no | yes]
scope [base | one | sub]
search-base-dn [[search base dn] | none]
search-timeout [integer]
servers [add | delete | replace-all-with] {
[ [ip address] | [server name] ...] }
servers none
ssl [disabled | enabled]
ssl-ca-cert-file [ [file name] | none)
ssl-check-peer [disabled | enabled]
ssl-ciphers [ [string] | none]
ssl-client-cert [ [string] | none]
ssl-client-key [ [string] | none]
user-template [ [string] | none]
version [integer]
warnings [disabled | enabled]
edit ldap [ [ [name] | [glob] | [regex] ] ...]
options:
all-properties
non-default-properties
DISPLAY
list ldap
list ldap [ [ [name] | [glob] | [regex] ] ...]
show running-config ldap
show running-config ldap [ [ [name] | [glob] | [regex] ] ...]
options:
all-properties
non-default-properties
one-line
partition
DELETE
delete ldap [name]
DESCRIPTION
LDAP authentication is useful when the BIG-IP system users authentication or authorization data is stored on a
remote LDAP server or a Microsoft(r) Windows(r) Active Directory(r) server, and you want the user credentials
to be based on basic HTTP authentication (that is, user name and password).
To authenticate BIG-IP system users when their authentication data is stored on a remote LDAP server, you
create an LDAP configuration object, and then activate the object.
The following steps describe how to configure LDAP authentication for BIG-IP system users:
1. Use the ldap component in the auth module to configure an LDAP configuration object.
2. To activate LDAP authentication for BIG-IP system users, run the command sequence modify / auth source type
ldap
EXAMPLES
create ldap bigip_ldap_auth servers add {my_ldap_server}
Creates a configuration object named bigip_ldap_auth
delete ldap bigip_ldap_auth
Deletes the configuration object named bigip_ldap_auth.
OPTIONS
bind-dn
Specifies the distinguished name of an account to which to bind to perform searches. This search account
is a Read-only account. You can also use the admin account as the search account. If an administrative
distinguished name is not specified, then a bind is not attempted. The default value is none.
Note that if the remote server is a Microsoft Windows Active Directory server, the distinguished name
must be in the form of an email address.
bind-pw
Specifies the password for the search account created on the LDAP server. This option is required if you
enter a value for the bind-dn option. The default value is none.
bind-timeout
Specifies a bind timeout limit, in seconds. The default value is 30.
check-host-attr
Confirms the password for the bind distinguished name. This option is optional. The default value is
disabled.
check-roles-group
Specifies whether to verify a user's group membership given in the remote-role definitions, formatted as
*member*of="group-dn". The default value is disabled.
debug
Enables or disables syslog-ng debugging information at the LOG DEBUG level. The default value is
disabled. F5 Networks does not recommend using this option for normal configuration.
description
User defined description.
filter
Specifies a filter. Use this option for authorizing client traffic. The default value is none.
glob Displays the items that match the glob expression. See help glob for a description of glob expression
syntax.
group-dn
Specifies the group distinguished name. The system uses this option for authorizing client traffic. The
default value is none.
group-member-attribute
Specifies a group member attribute. The system uses this option for authorizing client traffic. The
default value is none.
idle-timeout
Specifies the idle timeout, in seconds, for connections. The default value is 3600 seconds.
ignore-auth-info-unavail
Specifies whether the system ignores authentication information if it is not available. The default value
is no.
ignore-unknown-user
Specifies whether the system ignores a user that is unknown. The default value is disabled.
include
Specifies configurations to add for nslcd conf file.
login-attribute
Specifies a logon attribute. Normally, the value for this option is uid; however, if the server is a
Microsoft Windows Active Directory server, the value must be the account name samaccountname (not case-
insensitive). The default value is none.
name Specifies a unique name for the component. This option is required for the commands create and modify.
partition
Displays the administrative partition within which the component resides.
port Specifies the port number or name for the LDAP service. Port 389 is typically used for non-SSL and port
636 is used for an SSL-enabled LDAP service. The default value is ldap.
referrals
Specifies whether automatic referral chasing should be enabled. The default value is yes.
regex
Displays the items that match the regular expression. The regular expression must be preceded by an at
sign (@[regular expression]) to indicate that the identifier is a regular expression. See help regex for
a description of regular expression syntax.
scope
Specifies the search scope. The default value is sub. The possible values are:
base The search scope is base object. The base value is almost never useful for name service lookups.
one The search scope is one level.
sub The search scope is a subtree.
search-base-dn
Specifies the search base distinguished name. The default value is none.
search-timeout
Specifies the search timeout, in seconds. The default value is 30.
servers
Specifies the LDAP servers that the system must use to obtain authentication information. You must
specify a server when you create an LDAP configuration object.
ssl Enables or disables SSL functionality. The default is disabled.
Note that when you use tmsh to enable SSL for an LDAP service, the system does not change the port number
from 389 to 636, as is required. To change the port number from the command line, use the port option,
for example, ldap [name] ssl enabled port 636.
ssl-ca-cert-file
Specifies the name of an SSL CA certificate using the full path to the file. The default value is none.
ssl-check-peer
Specifies whether the system checks an SSL peer. The default value is disabled.
ssl-ciphers
Specifies SSL ciphers. The default value is none.
ssl-client-cert
Specifies the name of an SSL client certificate. The default value is none.
ssl-client-key
Specifies the name of an SSL client key. The default value is none.
user-template
Specifies a user template for the LDAP application to use for authentication. The default value is none.
version
Specifies the version number of the LDAP application. The default value is 3.
warnings
Enables or disables warning messages. The default value is enabled.
SEE ALSO
auth user, create, delete, glob, list, modify, regex, run, show, tmsh
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or by any means, electronic or
mechanical, including photocopying, recording, or information storage and retrieval systems, for any purpose
other than the purchaser's personal use, without the express written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2008-2013, 2016. All rights reserved.
BIG-IP 2019-12-23 auth ldap(1)