ltm auth ssl-cc-ldap
ltm auth ssl-cc-ldap(1) BIG-IP TMSH Manual ltm auth ssl-cc-ldap(1)
NAME
ssl-cc-ldap - Configures an SSL client certificate configuration object for remote SSL-based LDAP
authorization for client traffic passing through the traffic management system.
MODULE
ltm auth
SYNTAX
Configure the ssl-cc-ldap component within the ltm auth module using the syntax shown in the following
sections.
CREATE/MODIFY
create ssl-cc-ldap [name]
modify ssl-cc-ldap [name]
options:
admin-dn [ [name] | none]
admin-password [none | [password] ]
cache-size [integer]
cache-timeout [integer]
certmap-base [none | [search base] ]
certmap-key [ [name] | none)
certmap-user-serial [no | yes]
description [string]
group-base [none | [search base] ]
group-key [ [name] | none]
group-member-key [[name] | none]
role-key [ [name] | none]
search-type [cert | certmap | user]
secure [no | yes]
servers
[add | delete | none | replace-all-with] {
[ip address ... ]
}
user-base [none | [search base] ]
user-class [ [class] | none]
user-key [ [key] | none]
valid-groups
[add | delete | replace-all-with] {
[group ... ]
}
valid-groups none
valid-roles
[add | delete | replace-all-with] {
[role ... ]
}
valid-roles none
edit ssl-cc-ldap [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
DISPLAY
list ssl-cc-ldap
list ssl-cc-ldap [ [ [name] | [glob] | [regex] ] ... ]
show running-config ssl-cc-ldap
show running-config ssl-cc-ldap
[ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
one-line
partition
DELETE
delete ssl-cc-ldap [name]
DESCRIPTION
You can use the ssl-cc-ldap component to configure SSL client certificate-based remote LDAP authorization for
client traffic passing through the traffic management system.
To configure this type of authentication module and create a configuration object:
1. Use the ssl-cc-ldap component in the ltm auth module to create an SSL client certificate LDAP configuration
object.
2. Use the profile component in the ltm auth module to create an authentication profile in which you specify
the following options:
a. For the configuration option, specify the configuration object that you created in Step 1.
b. For the defaults-from option, specify a parent profile (either the default profile named ssl_cc_ldap or
another custom profile that you created).
OPTIONS
admin-dn
Specifies the distinguished name of an account to which to bind to perform searches. This search account
is a read-only account used to do searches. The admin account can also be used as the search account. If
no admin DN is specified, then no bind is attempted.
This option is required only when an LDAP database does not allow anonymous searches. The default value
is none.
admin-password
Specifies the password for the admin account. See admin-dn above. The default value is none.
cache-size
Specifies the maximum size, in bytes, allowed for the SSL session cache. Setting this option to 0 (zero)
disallows SSL session caching. The default value is 20000 bytes (20KB).
cache-timeout
Specifies the number of usable lifetime seconds of negotiable SSL session IDs. When this time expires, a
client must negotiate a new session. The default value is 300 seconds.
certmap-base
Specifies the search base for the subtree used by the certmap search method. A typical search base is:
ou=people,dc=company,dc=com. The default value is none.
certmap-key
Specifies the name of the certificate map that the certmap search method uses. This name is found in the
LDAP database. The default value is none.
certmap-user-serial
Specifies whether the system uses the client certificate's subject or serial number (in conjunction with
the certificate's issuer) when trying to match an entry in the certificate map subtree.
A value of yes uses the serial number. A value of no uses the subject. The default value is no.
description
User defined description.
glob Displays the items that match the glob expression. See help glob for a description of glob expression
syntax.
group-base
Specifies the search base for the subtree used by group searches. Use this option only when specifying
the valid-groups option. The typical search base is similar to: ou=groups,dc=company,dc=com. The default
value is none.
group-key
Specifies the name of the attribute in the LDAP database that specifies the group name in the group
subtree. An example of a typical key is cn (common name for the group). The default value is none.
group-member-key
Specifies the name of the attribute in the LDAP database that specifies members (DNs) of a group. A
typical key is member. The default value is none.
name Specifies a unique name for the component. This option is required for the commands create, delete, and
modify.
partition
Displays the administrative partition within which the component resides.
regex
Displays the items that match the regular expression. The regular expression must be preceded by an at
sign (@[regular expression]) to indicate that the identifier is a regular expression. See help regex for
a description of regular expression syntax.
role-key
Specifies the name of the attribute in the LDAP database that specifies a user's authorization roles. Use
this option only when specifying the valid-roles option. A typical role key is authorizationRole. The
default value is none.
search
Specifies the type of LDAP search that is performed based on the client's certificate. Possible values
are:
cert Searches for the exact certificate.
certmap
Searches for a user by matching the certificate issuer and the certificate serial number or
certificate.
user Searches for a user based on the common name found in the certificate. This is the default value.
secure
Specifies whether the system attempts to use secure LDAP (LDAP over SSL). The alternative to using secure
LDAP is to use insecure (clear text) LDAP. Secure LDAP is a consideration when the connection between the
BIG-IP system and the LDAP server cannot be trusted. The default value is no.
servers
Specifies a list of LDAP servers you want to search. You must specify a server when you create an SSL
client certificate configuration object.
user-base
Specifies the search base for the subtree used when you select for the search option either of the values
user or cert. A typical search base is: ou=people,dc=company,dc=com. You must specify a user base when
you create an SSL client certificate configuration object. The default value is none.
user-class
Specifies the object class in the LDAP database to which the user must belong to be authenticated. The
default value is none.
user-key
Specifies the key that denotes a user ID in the LDAP database (for example, the common key for the user
option is uid). You must specify a user key when you create an SSL client certificate configuration
object.
valid-groups
Specifies a space-delimited list of the names of groups to which the client must belong in order to be
authorized (matches against the group key in the group subtree). The client needs to be a member of only
one of the groups in the list. The default value is none.
valid-roles
Specifies a space-delimited list of the valid roles that clients must have to be authorized. The default
value is none.
SEE ALSO
create, delete, edit, glob, list, ltm auth profile, ltm virtual, modify, regex, show, tmsh
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or by any means, electronic or
mechanical, including photocopying, recording, or information storage and retrieval systems, for any purpose
other than the purchaser's personal use, without the express written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2008-2013, 2015. All rights reserved.
BIG-IP 2015-07-22 ltm auth ssl-cc-ldap(1)