vADC Forum

Reply
Contributor
Posts: 22
Registered: ‎11-29-2012

LDAPS for Management Authentication

Hello,

 

I see that you can setup an LDAP authenticator for the vADC.  I haven't seen any settings to enable SSL.  Is it possible to use LDAPS for the authenticator? 

 

Thanks!

Contributor
Posts: 40
Registered: ‎03-26-2013

Re: LDAPS for Management Authentication

In an authenticator configuration:

 

 

Whether or not to enable SSL encryption to the LDAP server.
ldap!ssl:    Yes   /   No        

The type of LDAP SSL encryption to use.
ldap!ssl!type:     LDAPS  / Start TLS  

 

Contributor
Posts: 22
Registered: ‎11-29-2012

Re: LDAPS for Management Authentication

Is that based on license level? I don't see it at all. 

 

I've been through all the settings and just upgraded to 10.3 to be sure.

Contributor
Posts: 22
Registered: ‎11-29-2012

Re: LDAPS for Management Authentication

I found the options you were talking about.

 

If you go to Catalogs -> Authenticators  you see the options.

 

If you go to System -> Users -> Authenticators the LDAP options have nothing for SSL.

 

So the system supports it, but it doesn't look like it's an option for administrator authentication.

Contributor
Posts: 40
Registered: ‎03-26-2013

Re: LDAPS for Management Authentication

True, and this doesn't make much sense. Did you contact support?

Contributor
Posts: 22
Registered: ‎11-29-2012

Re: LDAPS for Management Authentication

Not yet, wanted to make sure I wasn't missing something first.  I'll open a ticket.

 

Thanks for your help!

New Member
Posts: 1
Registered: ‎12-02-2016

Re: LDAPS for Management Authentication

Hey, what happend to your ticket? Is there a solution for this? I have exactly the same problem on 10.3...

Brocadian
Posts: 2
Registered: ‎07-08-2013

Re: LDAPS for Management Authentication

[ Edited ]

@stefanriem,

There are two types of 'Authenticators' that can be configured on the Traffic Manager

(1) Catalogs > Authenticators

Authenticators created in this manner can be accessed through the auth.query() function from within a TrafficScript rule. This rule can then be added to a virtual server handling the service to be authenticated.

As of version 11.1, this type of authenticator can support both SSL (aka SSL-wrapped LDAP aka LDAPS) and TLS (aka LDAP over StartTLS), but this can not be used for admin authentications.


(2) System > Users > Authenticators


This authenticator allows Traffic Manager Admin users to be authenticated using LDAP (as well as Radius and TACACS+)

But unfortunately it does not support SSL/startTLS (as of version 11.1), however you can work around it by creating a loopback virtual server and enable ssl encryption on the pool used by this loopback virtual server. The pool contains the real LDAP server(s).

Then in the ldap!server field of the authenticator use 127.0.0.1 so that it forwards the authentication requests to the local/loopback virtual server which will then forward it to the ldap servers configured in the pool. You can also use a Traffic IP instead of 127.0.0.1 for high availability (fault tolerance).


So the short answer is that Traffic Manager out-of-the-box does not suppport LDAP over SSL/startTLS for admin authentications but you can use the above (2) workaround to enable LDAPS

We have two RFEs to support LDAPS (VTM-11412) and LDAP TLS (VTM-13029). If you have access to your portal please raise a support case with us so that we can add your details/interest to the list of customers requesting these RFEs.

Hope this helps

Yousaf

New Contributor
Posts: 3
Registered: ‎10-19-2016

Re: LDAPS for Management Authentication

Hello

 

Still not supported on 17.2 version

:smileysad:

 

A shame


Yousaf.Shah wrote:

@stefanriem,

There are two types of 'Authenticators' that can be configured on the Traffic Manager

(1) Catalogs > Authenticators

Authenticators created in this manner can be accessed through the auth.query() function from within a TrafficScript rule. This rule can then be added to a virtual server handling the service to be authenticated.

As of version 11.1, this type of authenticator can support both SSL (aka SSL-wrapped LDAP aka LDAPS) and TLS (aka LDAP over StartTLS), but this can not be used for admin authentications.


(2) System > Users > Authenticators


This authenticator allows Traffic Manager Admin users to be authenticated using LDAP (as well as Radius and TACACS+)

But unfortunately it does not support SSL/startTLS (as of version 11.1), however you can work around it by creating a loopback virtual server and enable ssl encryption on the pool used by this loopback virtual server. The pool contains the real LDAP server(s).

Then in the ldap!server field of the authenticator use 127.0.0.1 so that it forwards the authentication requests to the local/loopback virtual server which will then forward it to the ldap servers configured in the pool. You can also use a Traffic IP instead of 127.0.0.1 for high availability (fault tolerance).


So the short answer is that Traffic Manager out-of-the-box does not suppport LDAP over SSL/startTLS for admin authentications but you can use the above (2) workaround to enable LDAPS

We have two RFEs to support LDAPS (VTM-11412) and LDAP TLS (VTM-13029). If you have access to your portal please raise a support case with us so that we can add your details/interest to the list of customers requesting these RFEs.

Hope this helps

Yousaf


 

Occasional Contributor
Posts: 5
Registered: ‎04-03-2013

Re: LDAPS for Management Authentication

Agreed. I do not like that credentials are being passed in clear text. Is this something that will be addressed soon?

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.

Click to Register
Download FREE NVMe eBook