LDAP/AD authentication

Question

My manager has assigned the task below to me. I am on LTM version 11.3. I saw the iApp LDAP template that comes with ver 11.3 but I don't think it will work for my scenario. Any help would be much appreciated...&nbsp;
Scenario: We have some devices that will use LDAP/AD for authentication, but don't have the capability of doing "bound" LDAP. It is desired if possible to create an F5-based mechanism that can bind to AD and proxy the LDAP authentication requests. It is anticipated that this will be deployed in both datacenters.&nbsp;
&nbsp;
In this context "bound" and "bind" mean that AD won't agree to discuss authentication with you unless you have provided credentials that have permissions to do that. The process of providing those credentials is called "binding".&nbsp;
 &nbsp;
Thank you.&nbsp;

kevin_stewart · Answer

The LDAP iApp is for load balancing LDAP resources. Are you saying that your devices won't be able to perform bound LDAP queries, so you want the F5 to proxy the LDAP requests, as in BIND and perform the queries on the device's behalf? 
&nbsp;  
&nbsp; Have you considered enabling anonymous LDAP queries to AD (http://windowsitpro.com/active-directory/q-how-do-i-enable-anonymous-ldap-binds-windows-server-2008-active-directory-ad)? Otherwise, the best option is to use the Access Policy Manager module (APM) to perform an LDAP bind and proxy.

riverfish · Answer

Posted By Kevin Stewart on 04/26/2013 07:37 AM&nbsp;
Are you saying that your devices won't be able to perform bound LDAP queries, so you want the F5 to proxy the LDAP requests, as in BIND and perform the queries on the device's behalf?
Yes, that is correct. I believe anonymous ldap queries are not an option for us. I will see if my company is willing to purchase APM. If not, is it even possible to write an iRule that will do ldap bind and proxy? I saw this: https://devcentral.f5.com/wiki/iRules.LDAPProxy.ashx&nbsp;
 
&nbsp;
&nbsp;

riverfish · Answer

Is it possible to inject the "binding" information into "unbound" client traffic using an iRule or Stream profile?

Forum Discussion

LDAP/AD authentication

3 Replies

Recent Discussions

import live updates from version x to version y

Tenant image upgrade

iRule editor partition button does not work

F5Access | MacOS Sonoma

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Related Content

AD authentication with LDAPS

F5 BIG-IP Access Policy Manager (APM) - Google Authenticator and Microsoft Authenticator

Doing mTLS Authentication per URL

Distributed caching of authentication requests with NGINX Ingress Controller

Application Programming Interface (API) Authentication types simplified