Here is how to configure an F5 Big-IP device to use LDAP auth with FreeIPA!
FreeIPA Bind User
This guide uses a read-only user created in FreeIPA to be used as the bind user.
If you do not have a bind user yet for LDAP auth, first create a new permission called Read Only Admin under IPA Server > Role Based Access Control > Permissions > .
In the permission settings, only select these three rights:
Granted rights: [x]read [x]search [x]compare
Leave the rest unchecked.
Subtree: dc=example,dc=com TargetDN: dc=example,dc=com
Next, you will have to make a Privilege called Read Only LDAP Auth.
And finally a Role called readonly.
One that is setup, you can create a read only user and assign that user the role of ‘readonly’.
whew. This should really be an available default role.
F5 LDAP Config
Below is an example config for the F5 Big IP to work with FreeIPA.
The Remote Role Groups can obviously be edited as desired. In this example, any FreeIPA users in the group sysadmin are granted Administrator role in the F5.
My bind user has the username: readonly
System > Users > Authentication User Directory: Remote - LDAP Host: ipa.example.com Port: 636 Remote Directory Tree: cn=users,cn=accounts,dc=example,dc=com Scope: Sub Bind DN: uid=readonly,cn=users,cn=accounts,dc=example,dc=com Password: xxxxxxxxxxxxxxxxxxxxxxxx User Template: uid=%s,cn=users,cn=accounts,dc=example,dc=com Check Member Attribute in Group [x] SSL: Enabled SSL CA Certificate: None SSL Client Key: None SSL Client Certificate: None Login LDAP Attribute uid External Users Role: No Access Partition Access: Common Terminal Access: Disabled
Remote Role Groups: Group name: sysadmin Line Order: 1001 Attribute String: memberOf=cn=sysadmin,cn=groups,cn=accounts,dc=example,dc=com Assigned Role: Administrator Group name: development Line Order: 1002 Attribute String: memberOf=cn=development,cn=groups,cn=accounts,dc=example,dc=com Assigned Role: Manager