In this first part I will show you how to setup login authentication on the F5-BIGIP against LDAP.
Unfortunately, documentation F5’s website is not always very clear and while there is few people who blogged about how to get this to work, I found that the information was never complete and occasionally, quite ambiguous. Even more so, even if both Active Directory and LDAP use the same protocol, the configuration will be slightly different.
So here is a step-by-step guide on how to setup Login authentication against a LDAP database.
REQUIREMENTS: We will setup remote login authentication against a LDAP database, as per the following authorisation policy:
- Lab_F5-Admins Group – users who belong to this group, are full F5 administrators
- Lab_F5-RO Group – users in this group will have Read-Only (guest) access only
- All other users should have no access at all, even when authenticated (will explain about this later!)
INGREDIENTS: We will need the following:
- An LDAP Server
- The LDAP Base DN (Distinguished Name)
- LDAP Binding credentials
- LDAP path of the Lab_F5-Admins and Lab_F5-RO groups
- F5-BIGIP Load balancer
We will gather all this information in step one below.
STEP 1: CONFIGURE THE LDAP SERVER
a) Configure connection parameters
As the LDAP server, I am using OpenLDAP 2.4.40 which ships with my Synology NAS – aka. Directory Server package. In the screenshot below you can see how the settings screen looks like:
During configuration of the LDAP server, you will specify the FQDN of your domain and a password; the system will then automatically “design” your Base DN and the Bind DN.
Depending on your LDAP implementation, you may have to use the CLI to get this information manually. In fact, we will do so here in order to get our 4th ingredient 🙂 – keep reading…
b) Configure user, groups and define group membership
We will create three users – f5-admin, f5-ro and f5-na; we will also create two groups – Lab_F5-Admins and Lab_F5-RO. At last, we’ll assign them to they respective groups.
c) Get the LDAP paths for the newly created groups
Unfortunately, this wasn’t something available on the GUI. After some digging on OpenLDAP, through trial and error I managed to get the command which lists me the content of the LDAP database. To get the info I needed, I just had to make use of grep:
- DN for Lab_F5-Admins group: cn=Lab_F5-Admins,cn=groups,dc=home,dc=cm
- DN for Lab_F5-RO: cn=Lab_F5-RO,cn=groups,dc=home,dc=cm
STEP 2: CONFIGURE THE F5 for LDAP Authentication
Go to System -> Users -> Authentication …
STEP 3: CONFIGURE ACCOUNT PRIVILEGES
Once authentication is completed, the LDAP account must be mapped to a Remote Role Group (see the tab next to the Authentication tab). The Remote Role Group must be created:
A Remote Role Group in simple terms, is an ordered list of LDAP search criteria for identifying group membership. Once a user is successfully authenticated as part of the LDAP database, the system would proceed and try to match that user against each criteria, line by line, top to bottom and, it will stop at the first match.
Within the F5, these become the main focus for assigning privileges; these will then propagate to the respective members.
Here, we’ve created two Remote Role Groups:
- F5-GUI-Admins-Synology: this group is mapped to the Administrator Role and will match all LDAP users which belong to the Lab_F5-Admins group;
- F5-GUI-RO-Synology: mapped to the Guest Role and will match all LDAP users which belong to the Lab_F5-RO group.
Notice the memberof syntax in the group definition!
Rafael A. Couto Cabral • LinkedIn Profile
Cisco | F5 | VMware Certified • PRINCE2 Practitioner
Originally posted 2017-10-02 12:38:12.