Re: LDAPS for Management Authentication

ecornwell · ‎01-14-2016

Hello,

I see that you can setup an LDAP authenticator for the vADC. I haven't seen any settings to enable SSL. Is it possible to use LDAPS for the authenticator?

Thanks!

sameh · ‎01-15-2016

In an authenticator configuration:

Whether or not to enable SSL encryption to the LDAP server.
ldap!ssl:    Yes   /   No        

The type of LDAP SSL encryption to use.
ldap!ssl!type:     LDAPS  / Start TLS

ecornwell · ‎01-15-2016

Is that based on license level? I don't see it at all.

I've been through all the settings and just upgraded to 10.3 to be sure.

ecornwell · ‎01-18-2016

I found the options you were talking about.

If you go to Catalogs -> Authenticators you see the options.

If you go to System -> Users -> Authenticators the LDAP options have nothing for SSL.

So the system supports it, but it doesn't look like it's an option for administrator authentication.

sameh · ‎01-19-2016

True, and this doesn't make much sense. Did you contact support?

ecornwell · ‎01-19-2016

Not yet, wanted to make sure I wasn't missing something first. I'll open a ticket.

Thanks for your help!

stefanriem · ‎12-02-2016

Hey, what happend to your ticket? Is there a solution for this? I have exactly the same problem on 10.3...

Yousaf.Shah · ‎12-09-2016

@stefanriem,

There are two types of 'Authenticators' that can be configured on the Traffic Manager

(1) Catalogs > Authenticators

Authenticators created in this manner can be accessed through the auth.query() function from within a TrafficScript rule. This rule can then be added to a virtual server handling the service to be authenticated.

As of version 11.1, this type of authenticator can support both SSL (aka SSL-wrapped LDAP aka LDAPS) and TLS (aka LDAP over StartTLS), but this can not be used for admin authentications.

(2) System > Users > Authenticators

This authenticator allows Traffic Manager Admin users to be authenticated using LDAP (as well as Radius and TACACS+)

But unfortunately it does not support SSL/startTLS (as of version 11.1), however you can work around it by creating a loopback virtual server and enable ssl encryption on the pool used by this loopback virtual server. The pool contains the real LDAP server(s).

Then in the ldap!server field of the authenticator use 127.0.0.1 so that it forwards the authentication requests to the local/loopback virtual server which will then forward it to the ldap servers configured in the pool. You can also use a Traffic IP instead of 127.0.0.1 for high availability (fault tolerance).

So the short answer is that Traffic Manager out-of-the-box does not suppport LDAP over SSL/startTLS for admin authentications but you can use the above (2) workaround to enable LDAPS

We have two RFEs to support LDAPS (VTM-11412) and LDAP TLS (VTM-13029). If you have access to your portal please raise a support case with us so that we can add your details/interest to the list of customers requesting these RFEs.

Hope this helps

Yousaf

ChristopheH · ‎06-22-2017

Hello

Still not supported on 17.2 version

A shame

@Yousaf.Shah wrote:
@stefanriem,

There are two types of 'Authenticators' that can be configured on the Traffic Manager

(1) Catalogs > Authenticators

Authenticators created in this manner can be accessed through the auth.query() function from within a TrafficScript rule. This rule can then be added to a virtual server handling the service to be authenticated.

As of version 11.1, this type of authenticator can support both SSL (aka SSL-wrapped LDAP aka LDAPS) and TLS (aka LDAP over StartTLS), but this can not be used for admin authentications.

(2) System > Users > Authenticators

This authenticator allows Traffic Manager Admin users to be authenticated using LDAP (as well as Radius and TACACS+)

But unfortunately it does not support SSL/startTLS (as of version 11.1), however you can work around it by creating a loopback virtual server and enable ssl encryption on the pool used by this loopback virtual server. The pool contains the real LDAP server(s).

Then in the ldap!server field of the authenticator use 127.0.0.1 so that it forwards the authentication requests to the local/loopback virtual server which will then forward it to the ldap servers configured in the pool. You can also use a Traffic IP instead of 127.0.0.1 for high availability (fault tolerance).

So the short answer is that Traffic Manager out-of-the-box does not suppport LDAP over SSL/startTLS for admin authentications but you can use the above (2) workaround to enable LDAPS

We have two RFEs to support LDAPS (VTM-11412) and LDAP TLS (VTM-13029). If you have access to your portal please raise a support case with us so that we can add your details/interest to the list of customers requesting these RFEs.

Hope this helps

Yousaf

fredjackson · ‎07-25-2017

Agreed. I do not like that credentials are being passed in clear text. Is this something that will be addressed soon?