F5 LDAP Authentication

In this first part I will show you how to setup login authentication on the F5-BIGIP against LDAP.

Unfortunately, documentation F5’s website is not always very clear and while there is few people who blogged about how to get this to work, I found that the information was never complete and occasionally, quite ambiguous. Even more so, even if both Active Directory and LDAP use the same protocol, the configuration will be slightly different.

So here is a step-by-step guide on how to setup Login authentication against a LDAP database.


REQUIREMENTS: We will setup remote login authentication against a LDAP database, as per the following authorisation policy:

  1. Lab_F5-Admins Group – users who belong to this group, are full F5 administrators
  2. Lab_F5-RO Group – users in this group will have Read-Only (guest) access only
  3. All other users should have no access at all, even when authenticated (will explain about this later!)

INGREDIENTS: We will need the following:

  1. An LDAP Server
  2. The LDAP Base DN (Distinguished Name)
  3. LDAP Binding credentials
  4. LDAP path of the Lab_F5-Admins and Lab_F5-RO groups
  5. F5-BIGIP Load balancer

We will gather all this information in step one below.


STEP 1: CONFIGURE THE LDAP SERVER

a) Configure connection parameters

As the LDAP server, I am using OpenLDAP 2.4.40 which ships with my Synology NAS – aka. Directory Server package. In the screenshot below you can see how the settings screen looks like:

During configuration of the LDAP server, you will specify the FQDN of your domain and a password; the system will then automatically “design” your Base DN and the Bind DN.

Depending on your LDAP implementation, you may have to use the CLI to get this information manually. In fact, we will do so here in order to get our 4th ingredient 🙂 – keep reading…

b) Configure user, groups and define group membership

We will create three users – f5-admin, f5-ro and f5-na; we will also create two groups – Lab_F5-Admins and Lab_F5-RO. At last, we’ll assign them to they respective groups.

LDAP UsersLDAP Groups

c) Get the LDAP paths for the newly created groups

Unfortunately, this wasn’t something available on the GUI. After some digging on OpenLDAP, through trial and error I managed to get the command which lists me the content of the LDAP database. To get the info I needed, I just had to make use of grep:

  • DN for Lab_F5-Admins group: cn=Lab_F5-Admins,cn=groups,dc=home,dc=cm
  • DN for Lab_F5-RO: cn=Lab_F5-RO,cn=groups,dc=home,dc=cm

STEP 2: CONFIGURE THE F5 for LDAP Authentication

Go to System -> Users -> Authentication

NOTE: When setting up LDAP authentication, if the user exists in the LDAP DB, it gets successfully authenticated, regardless its group membership. By default, the user is assigned the permissions as set in the External Users section.

STEP 3: CONFIGURE ACCOUNT PRIVILEGES

Once authentication is completed, the LDAP account must be mapped to a Remote Role Group (see the tab next to the Authentication tab). The Remote Role Group must be created:

Remote Role Group in simple terms, is an ordered list of LDAP search criteria for identifying group membership. Once a user is successfully authenticated as part of the LDAP database, the system would proceed and try  to match that user against each criteria, line by line, top to bottom and, it will stop at the first match.

Within the F5, these become the main focus for assigning privileges; these will then propagate to the respective members.

Here, we’ve created two Remote Role Groups:

  1. F5-GUI-Admins-Synologythis group is mapped to the Administrator Role and will match all LDAP users which belong to the Lab_F5-Admins group;
  2. F5-GUI-RO-Synologymapped to the Guest Role and will match all LDAP users which belong to the Lab_F5-RO group.

Notice the memberof syntax in the group definition! 

NOTE: As noted previously, should there be no match to a Remote Role Group, the user is assigned the default privileges as set above – see the Authentication Screen – in our case, users will have no access.

 

Thank you,

Rafael A. Couto Cabral • LinkedIn Profile
Cisco​ | F5 | VMware Certified • PRINCE2 Practitioner

Originally posted 2017-10-02 12:38:12.

Related Post

Comments are closed.