01-14-2016 01:32 PM
I see that you can setup an LDAP authenticator for the vADC. I haven't seen any settings to enable SSL. Is it possible to use LDAPS for the authenticator?
01-15-2016 06:32 AM
In an authenticator configuration:
Whether or not to enable SSL encryption to the LDAP server. ldap!ssl: Yes / No The type of LDAP SSL encryption to use. ldap!ssl!type: LDAPS / Start TLS
01-18-2016 01:53 PM
I found the options you were talking about.
If you go to Catalogs -> Authenticators you see the options.
If you go to System -> Users -> Authenticators the LDAP options have nothing for SSL.
So the system supports it, but it doesn't look like it's an option for administrator authentication.
12-09-2016 01:51 PM - edited 12-09-2016 01:54 PM
There are two types of 'Authenticators' that can be configured on the Traffic Manager
(1) Catalogs > Authenticators
Authenticators created in this manner can be accessed through the auth.query() function from within a TrafficScript rule. This rule can then be added to a virtual server handling the service to be authenticated.
As of version 11.1, this type of authenticator can support both SSL (aka SSL-wrapped LDAP aka LDAPS) and TLS (aka LDAP over StartTLS), but this can not be used for admin authentications.
(2) System > Users > Authenticators
This authenticator allows Traffic Manager Admin users to be authenticated using LDAP (as well as Radius and TACACS+)
But unfortunately it does not support SSL/startTLS (as of version 11.1), however you can work around it by creating a loopback virtual server and enable ssl encryption on the pool used by this loopback virtual server. The pool contains the real LDAP server(s).
Then in the ldap!server field of the authenticator use 127.0.0.1 so that it forwards the authentication requests to the local/loopback virtual server which will then forward it to the ldap servers configured in the pool. You can also use a Traffic IP instead of 127.0.0.1 for high availability (fault tolerance).
So the short answer is that Traffic Manager out-of-the-box does not suppport LDAP over SSL/startTLS for admin authentications but you can use the above (2) workaround to enable LDAPS
We have two RFEs to support LDAPS (VTM-11412) and LDAP TLS (VTM-13029). If you have access to your portal please raise a support case with us so that we can add your details/interest to the list of customers requesting these RFEs.
Hope this helps