---

@Yousaf.Shah wrote:

@stefanriem,

There are two types of 'Authenticators' that can be configured on the Traffic Manager

(1) Catalogs > Authenticators

Authenticators created in this manner can be accessed through the auth.query() function from within a TrafficScript rule. This rule can then be added to a virtual server handling the service to be authenticated.

As of version 11.1, this type of authenticator can support both SSL (aka SSL-wrapped LDAP aka LDAPS) and TLS (aka LDAP over StartTLS), but this can not be used for admin authentications.


(2) System > Users > Authenticators


This authenticator allows Traffic Manager Admin users to be authenticated using LDAP (as well as Radius and TACACS+)

But unfortunately it does not support SSL/startTLS (as of version 11.1), however you can work around it by creating a loopback virtual server and enable ssl encryption on the pool used by this loopback virtual server. The pool contains the real LDAP server(s).

Then in the ldap!server field of the authenticator use 127.0.0.1 so that it forwards the authentication requests to the local/loopback virtual server which will then forward it to the ldap servers configured in the pool. You can also use a Traffic IP instead of 127.0.0.1 for high availability (fault tolerance).


So the short answer is that Traffic Manager out-of-the-box does not suppport LDAP over SSL/startTLS for admin authentications but you can use the above (2) workaround to enable LDAPS

We have two RFEs to support LDAPS (VTM-11412) and LDAP TLS (VTM-13029). If you have access to your portal please raise a support case with us so that we can add your details/interest to the list of customers requesting these RFEs.

Hope this helps

Yousaf

---

Hi, i am interested in using the workaround you mention in point 2.  Is it possible to receive more informaiton about how to implement it or has anyone successfully implemented this and can provide advice?

thanks

As of 20.1 vTM now supports Encrypted LDAP (LDAPS and STARTTLS).