Applies To:

Show Versions Show Versions

Manual Chapter: LDAP User Authentication
Manual Chapter
Table of Contents   |   Next Chapter >>

LDAP User Authentication

Use my LDAP server to authenticate BIG-IQ users

F5® BIG-IQ® Centralized Management can verify user credentials against your company's LDAP server (LDAP server versions 2 and 3, and OpenLDAP directory, Apache Directory Server, and Active Directory). After you set up BIG-IQ to use your LDAP server, you can add users and user groups that authenticated by your LDAP server.

Before integrating BIG-IQ with your LDAP server for authentication

Before integrating LDAP authentication with the F5 BIG-IQ Centralized Management system, you must complete these tasks.

Task Notes For my LDAP server
Use an LDAP browser to review the groups and users in your directory's structure and determine where they are located in the organizational units (OUs). Then, decide how you want to map those names. There are two ways you can do this. The first option is to map users directly to their Distinguished Name (DN) in the directory with a user bind template in the form of uid=<username>, ou=people, o=sevenSeas. For example, you'd map John Smith's user name to his DN as uid=<jsmith>, ou=people, o=sevenSeas and he would log in as jsmith and would be correctly authenticated with his user name in the directory through his DN.  
  The second option is to allow users to log in with names that do not map directly to their DN by specifying a userSearchFilter in the form of (&(uid=%s)) when creating the provider. For example, if John Smith's DN is cn=John Smith,ou=people,o=sevenSeas, but you would like him to be able to log in with jsmith, specify a userSearchFilter in the form of (&(jsmith=%s)). If your directory does not allow anonymous binds, you must also specify a bindUser and bindPassword so that the BIG-IQ system can validate the user's credentials.  
Decide which groups in your directory to map with BIG-IQ groups. If you configured a bindUser and bindPassword for users, the BIG-IQ system displays a list of groups from which to choose.  
  If you haven't configured this for your users, you must know the DN for each group.  
Find out the DN where you can query or view for all users and groups. This is the root bind DN for your directory, defined as rootDN, when you create a provider. The BIG-IQ system uses the root bind DN as a starting point when it searches for users and groups.  
Find the host IP address for the LDAP server. The default port is 389, if not specified otherwise, or 636 if SSL is enabled.  

Set up BIG-IQ to use your LDAP server for user authentication

Before you can set up BIG-IQ to authenticate users against your LDAP server, you have to specify your LDAP server settings on F5 BIG-IQ Centralized Management and perform all the tasks outlined in the section titled, Before integrating BIG-IQ with your LDAP server.

You can configure BIG-IQ to use one or more of your company's LDAP server(s) to authenticate users.

  1. At the top of the screen, click System.
  2. On the left, click USER MANAGEMENT > Auth Providers.
  3. Click the Add button.
  4. From the Provider Type list, select LDAP.
  5. In the Name field, type a name for this new provider.
    This must be a unique name, and can be a maximum of 152 characters.
  6. In the Host field, type the IP address of your LDAP server.
  7. For the Servers setting, type in the Port that your Active Directory server uses.
    If you want BIG-IQ to use an SSL port to communicate with your LDAP server, type port 636 , otherwise leave it at the default port, 389.
  8. From the SSL list, select how you want BIG-IQ to communicate with the LDAP server.
    • STARTTLS - Select this option to upgrade insecure connections to secure connections.
    • LDAPS - Select this option to use SSL for connections.
    • Disabled - Select this option to disable SSL.
  9. If your LDAP server does not allow anonymous binds, in the Bind User and Bind User Password fields, type the full distinguished names and passwords for users with query access.
  10. In the Root DN field, type the root context that contains users and groups.
    The root context must be a full distinguished name.
  11. For the Authentication Method setting, specify a method.
    • Simple - Select this option to require a user name and password for authentication.
    • None - Select this option to prompt the LDAP server to ignore the user name and password.
    Warning: No password authentication is used if you select None.
  12. For the Search Scope setting, select an option to specify the depth at which searches are made.
  13. In the Search Filter field, type the LDAP filter expression that determines how users are found.
    The search filter depends on your LDAP implementation.
  14. In the Connect Timeout field, type the number of milliseconds after which the BIG-IP system stops trying to connect to the LDAP server.
  15. In the Read Timeout field, type the number of seconds the BIG-IP system will wait for a response to a query.
  16. In the User Display Name Attribute field, type the LDAP field to use for the name that BIG-IQ displays.
    When using Active Directory, this is typically displayName.
  17. To direct bind to a distinguished name, in the User Bind Template field, type the name.
    For example, cn={username},ou=people,o=sevenSeas.
    Now, when a user logs in, BIG-IQ inserts the user name into the template in place of the token, and the resulting distinguished name is used to bind to the directory.
  18. To prompt the LDAP provider to search for groups based on a specific display name attribute, in the Group Display Name Attribute field, type an attribute.
    This attribute is typically cn.
  19. Leave the Group Search Filter at its default query to return all groups under the provided rootDN.
    Alternatively, if you have a large number of groups (more than 100), you can base the search on a specific term by typing a query with a {searchterm} token in this field.

    For example: (&(objectCategory=group)(cn={searchterm}*))

  20. To specify a query for finding a users group, in the Group Membership Filter field, type a query string.
    Use the token {userDN} anywhere that the user's distinguished name should be supplied in the LDAP query.

    You can use a {username} token as a substitute for the user’s login name in a query.

    Leave this setting at the default (|(member={username})(uniqueMember={username})) unless the provider is Active Directory.
  21. To specify a query attribute for finding users in a particular group, in the Group Membership User Attribute field, type the attribute.
    When using Active Directory, use memberof. For example: (memberOf=cn=group_name,ou=organizational_unit,dc=domain_component)
    For other LDAP directories, use groupMembershipFilter. For example: (groupMembership=cn=group_name,ou=organizational_unit,o=organization)
  22. Select the Perform Test check box to test this provider.
  23. Click the Save & Close button.

Add a BIG-IQ user authenticated by my RADIUS server and assign it a role

If you want to add a user authenticated against your RADIUS server, you first have to set up F5 BIG-IQ Centralized Management with your RADIUS server settings.
Once you understand exactly who you want to perform certain tasks, you can provide them access to particular areas of BIG-IQ by adding them as a user user and assigning the appropriate standardized role. You can assign as many roles as required to cover the user's responsibilities.
Important: You must associate this user with a RADIUS-authenticate role, or authentication will fail.
  1. At the top of the screen, click System.
  2. On the left, click USER MANAGEMENT > Users.
  3. Click the Add button.
  4. From the Auth Provider list, select RADIUS.
  5. In the User Name and Full Name fields, type the names for this user.

    The full name can contain a combination of symbols, letters, numbers and spaces.

  6. From the Available list, select each user role you want to associate it with this user, and move it to the Selected list.
    Important: Be sure to let your users know that their access to certain parts of the BIG-IQ user interface depends on which role they are assigned.
  7. Click the Save & Close button.

Create an LDAP-authenticated user group

Before you can add an LDAP-authenticated user group, you must set up BIG-IQ to use your company's LDAP server for user authentication (using the USER MANAGEMENT > Auth Providers screen).
You create a user group to offer a set of individual users authentication from the same LDAP server.
Important: If a user does not belong to an LDAP-authenticated user group, authentication will fail.
  1. At the top of the screen, click System.
  2. At the left, click USER MANAGEMENT > USER GROUPS.
    The User Groups screen opens.
  3. Click the Add button.
  4. In the Name field, type a name for this new user group.
  5. From the Auth Provider list, select LDAP.
  6. In the Remote Group Filter field, type a term to search for remote groups.
  7. In the Group DN field, type the domain name for this group.
  8. From the Roles list, select the user role that has the privileges you want to grant to this user group.
  9. Click the Save & Close button.
Table of Contents   |   Next Chapter >>

Was this resource helpful in solving your issue?

NOTE: Please do not provide personal information.

Additional Comments (optional)