Hello @fredjackson / All,
I checked into this inquiry again and received this back from a TAC representative:
"There are existing Requests For Enhancement (RFE) to add this into the product. As per the post above, the IDs are: VTM-11412 and VTM-13029. The Sales Organization tracks, evaluates, and prioritizes RFE records over time. As such, your Account Team (Region Sales Engineer or Territory Manager) is the best place to follow along with future progress on an RFE."
Brocade Community Team
There are two types of 'Authenticators' that can be configured on the Traffic Manager
(1) Catalogs > Authenticators
Authenticators created in this manner can be accessed through the auth.query() function from within a TrafficScript rule. This rule can then be added to a virtual server handling the service to be authenticated.
As of version 11.1, this type of authenticator can support both SSL (aka SSL-wrapped LDAP aka LDAPS) and TLS (aka LDAP over StartTLS), but this can not be used for admin authentications.
(2) System > Users > Authenticators
This authenticator allows Traffic Manager Admin users to be authenticated using LDAP (as well as Radius and TACACS+)
But unfortunately it does not support SSL/startTLS (as of version 11.1), however you can work around it by creating a loopback virtual server and enable ssl encryption on the pool used by this loopback virtual server. The pool contains the real LDAP server(s).
Then in the ldap!server field of the authenticator use 127.0.0.1 so that it forwards the authentication requests to the local/loopback virtual server which will then forward it to the ldap servers configured in the pool. You can also use a Traffic IP instead of 127.0.0.1 for high availability (fault tolerance).
So the short answer is that Traffic Manager out-of-the-box does not suppport LDAP over SSL/startTLS for admin authentications but you can use the above (2) workaround to enable LDAPS
We have two RFEs to support LDAPS (VTM-11412) and LDAP TLS (VTM-13029). If you have access to your portal please raise a support case with us so that we can add your details/interest to the list of customers requesting these RFEs.
Hope this helps
Hi, i am interested in using the workaround you mention in point 2. Is it possible to receive more informaiton about how to implement it or has anyone successfully implemented this and can provide advice?