Configuring LDAP remote authentication for Active Directory - SSL Client Key

Information

This document defines F5 best practice recommendations for configuring and verifying remote Active Directory Lightweight Directory Access Protocol (LDAP) authentication of administrative connections.

Note: As is true for all remote authentication configurations, if the configured LDAP server is unavailable to answer authentication requests, the BIG-IP system uses the local user account database for authentication, and only locally defined user accounts, such as the default admin WebUI account and the root command line account, can log in to the system. Beginning in BIG-IP 13.0.0, you can use other local user accounts besides admin to fallback if the LDAP server is unavailable. More information about this feature is provided in the contents of this article.

Note: For more information about LDAP, refer to RFC 2251: Lightweight Directory Access Protocol (v3). This link takes you to a resource outside of AskF5, and it is possible that the information may be removed without our knowledge.

Solution

1. User Directory

The User Directory option specifies the authentication source. To configure the BIG-IP system to use a remote Active Directory server for authentication of administrative sessions, select Remote - LDAP.

2. Host

The Host option specifies the remote system hosting the LDAP database that the system will use for remote authentication. Only one host may be specified. In 9.0.0 through 9.4.7, and in 9.6.x, this should be the IP address of the Active Directory authentication server. In 9.4.8 and later, you may specify either a host name or an IP address.

3. Port

The Port option specifies the port that the system uses for access to the remote LDAP host server. The default port is 389. If your Active Directory server uses an alternate port, specify it here.

4. Remote Directory Tree

The Remote Directory Tree option specifies the file location of the user authentication database in the remote directory tree of the Active Directory LDAP server. At minimum, you must specify a domain component.

5. Scope

The Scope option specifies the level of the remote LDAP directory that the system should search for the user authentication. The following three options are available:

Note: The default setting is Sub.

Base
Specifies that the system searches the remote directory based on the access permissions of the DN that you specify in the Bind setting.

One
Specifies that the system searches one level of the remote directory.

Sub
Specifies that the system searches all subdirectories of the remote directory.

6. Bind

The Bind option specifies the distinguished name for binding to the LDAP server.

7. User Template

The User Template option defines which part of the supplied login credentials is used to construct the distinguished name when binding to the LDAP server.

8. SSL

The SSL option specifies whether the system uses an SSL port to communicate with the LDAP server. If you enable this setting, the port number changes automatically to 636, and the page presents additional options for specifying SSL certificate-related values.

9. SSL CA Certificate

The SSL CA Certificate option specifies the name of an SSL certificate from a certificate authority (CA).

See Also

https://support.f5.com/csp/article/K53108777#link_01

Item Details

Category: ACCESS CONTROL, CONFIGURATION MANAGEMENT

References: 800-53|AC-3(7), 800-53|CM-6b., CAT|II, CCI|CCI-000366, CCI|CCI-002169, Rule-ID|SV-74623r1_rule, STIG-ID|F5BI-DM-000179, Vuln-ID|V-60193

Plugin: F5

Control ID: 5d428b0dd4f820e19c58afb502f276c94fcce286597ea74ab486cd001200db5d