Forum Discussion
MichaelatF5
May 06, 2014Employee
First, just a note, when you get locked out testing this solution, you can use: tmsh modify auth cert-ldap system-auth sso off
This will let you log back in using admin.
Next, there are some bugs being tracked with this configuration. You can try to configure using TMSH in the interim. Below were the settings I had to use to accomplish this using TMSH on 11.4. I am configuring this now in 11.5.1 and will update as I discover more.
Note: You absolutely HAVE to have a remote role group configured.
Note 2: If using Windows OCSP, enable NONCE.
Note 3: You, currently, absolutely HAVE to use OCSP.
auth cert-ldap system-auth {
bind-dn "CN=LDAP Query,OU=Service Accounts,DC=alpha,DC=domain,DC=local"
bind-pw $M$zk$MD/aIzNEVYJyFuwhtuZz/Q==
check-roles-group enabled
login-attribute sAMAccountName
login-filter [a-zA-Z0-9]\\w*(\?=@)
login-name altSubjectName=Othername
search-base-dn DC=alpha,DC=domain,DC=local
servers { xxx.xxx.3.22 }
sso on
}
auth ldap system-auth {
bind-dn "CN=LDAP Query,OU=Service Accounts,DC=alpha,DC=domain,DC=local"
bind-pw $M$zk$MD/aIzNEVYJyFuwhtuZz/Q==
check-roles-group enabled
login-attribute sAMAccountName
search-base-dn DC=alpha,DC=domain,DC=local
servers { xxx.xxx.3.22 }
user-template %s@ALPHA.DOMAIN.LOCAL
}
sys httpd {
allow { All }
auth-name BIG-IP
auth-pam-dashboard-timeout off
auth-pam-idle-timeout 1200
auth-pam-validate-ip on
description none
fastcgi-timeout 300
hostname-lookup off
include none
log-level warn
max-clients 10
redirect-http-to-https disabled
request-body-max-timeout 0
request-body-min-rate 500
request-body-timeout 60
request-header-max-timeout 40
request-header-min-rate 500
request-header-timeout 20
ssl-ca-cert-file /Common/COLEHOME_CA_Chain
ssl-certchainfile none
ssl-certfile /etc/httpd/conf/ssl.crt/server.crt
ssl-certkeyfile /etc/httpd/conf/ssl.key/server.key
ssl-ciphersuite ALL:!ADH:!EXPORT:!eNULL:!MD5:!DES:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2
ssl-include none
ssl-ocsp-default-responder http://192.168.3.22/ocsp
ssl-ocsp-enable on
ssl-ocsp-override-responder on
ssl-ocsp-response-max-age -1
ssl-ocsp-response-time-skew 300
ssl-verify-client require
ssl-verify-depth 10
}