F5 Big-IP LDAP Auth with FreeIPA

By | 2016/03/07

Here is how to configure an F5 Big-IP device to use LDAP auth with FreeIPA!

FreeIPA Bind User

This guide uses a read-only user created in FreeIPA to be used as the bind user.

If you do not have a bind user yet for LDAP auth, first create a new permission called Read Only Admin under IPA Server > Role Based Access Control > Permissions > .

In the permission settings, only select these three rights:

Granted rights: [x]read [x]search [x]compare  

Leave the rest unchecked.

Other entries:

Subtree: dc=example,dc=com 

TargetDN: dc=example,dc=com

Next, you will have to make a Privilege called Read Only LDAP Auth.

And finally a Role called readonly.

One that is setup, you can create a read only user and assign that user the role of ‘readonly’.

whew. This should really be an available default role.

F5 LDAP Config

Below is an example config for the F5 Big IP to work with FreeIPA.

The Remote Role Groups can obviously be edited as desired. In this example, any FreeIPA users in the group sysadmin are granted Administrator role in the F5.

My bind user has the username: readonly

Web interface:

System > Users > Authentication

User Directory: Remote - LDAP
Host: ipa.example.com
Port: 636
Remote Directory Tree: cn=users,cn=accounts,dc=example,dc=com
Scope: Sub
Bind DN: uid=readonly,cn=users,cn=accounts,dc=example,dc=com
Password: xxxxxxxxxxxxxxxxxxxxxxxx

User Template: uid=%s,cn=users,cn=accounts,dc=example,dc=com
Check Member Attribute in Group [x]
SSL: Enabled

SSL CA Certificate: None
SSL Client Key: None
SSL Client Certificate: None
Login LDAP Attribute	uid

External Users
Role: No Access
Partition Access: Common
Terminal Access: Disabled

Remote Role Groups:

Group name: sysadmin
Line Order: 1001
Attribute String:
Assigned Role: Administrator

Group name: development
Line Order: 1002
Attribute String:
Assigned Role: Manager