24 October 2012

F5 BIG-IP LTM User delegation Part I - AD authentication

To be able to delegate control over certain portions of your BIG-IP LTM environment you need to create additional users and additional partitions.  Being able to use existing Active Directory users and groups makes this much simpler.

Step 1 Service Account

For the BIG-IP to bind to Active Directory you need to provide a valid domain account. I suggest creating a service account for this before proceeding.

Step 2 LDAP strings

Before you start the configuration you will need some info that you will most probably have to look up using ADSI edit on a domain controller


  • Start the ADSI Edit application
  • Right ADSI Edit and select connect to
  • Click OK

You Should now be able to browse the directory


  • Locate the service account created earlier
  • Right click the account - Properties
  • In the Attribute Editor scroll until you find the field distinguishedName
  • Copy the whole string and paste it into notepad.  This is your user string to be used later.

It should look something like this:
CN=Etienne Liebetrau,OU=Division,OU=ITS,DC=mydomain,DC=co,DC=za

  • Select the top domain level
  • Right click - properties
  • In the Attribute Editor scroll until you find the field distinguishedName
  • Copy the whole string and paste it into notepad.  This is your Directory Tree string to be used later.

It should look something like this:
DC=mydomain,DC=co,DC=za


Step 3 Set Authentication type

From the main screen select
System - Users - Authentication

For user Directory:  Remote - Active Directory
Host is one of your domain controllers
Port:   389
Remote Directory Tree:   this is your domain string from notepad
Scope:  Sub
Bind: DN: is the user string form notepad

User template: can be left blank
Check Member Attribute in Group: needs to be checked
SSL Disabled

External Users
Role: No Access
Partition Access: Disabled

That's all there is to it.  This section cover authentication but you have not yet specified any authorisation.

Next step is to create administrative partitions - check out Part II http://fixmyitsystem.com/2012/10/f5-big-ip-ltm-user-delegation-part-ii.html

3 comments:

Sachin Sapkal said...

Excellent document. Thanks!!

Pacific moderate said...

I expect that leaving SSL disabled is going to result in sending the user's password in cleartext between the BIG-IP and the domain controller/LDAP server. LDAP simple binds without SSL are unencrypted.

Paul Fleming said...

instead of using ADSI Edit, you can get the DN using command line
dsquery user -samid

Post a Comment