Specifications
Chapter 12
12 - 16
To configure an LDAP server that stores encrypted
passwords
In some LDAP servers, passwords are stored encrypted with DES, or stored
as MD5 hashes. On these systems, it is best to bind to the server directly in
order to let the LDAP server match the passwords. The login_ldap utility
can be configured to bind directly to the server with the following settings in
the /etc/login.conf file.
1. Edit /etc/login.conf. Locate these lines at the top of the file.
Replace my_ldap_server with the host name of your LDAP server.
Replace the value for ldap-basedn with the appropriate basedn for
your LDAP server (see Figure 12.10).
2. Locate the default authentication type. Change the tc value to point
to the new ldap-defaults type (see Figure 12.11).
To configure an LDAP server that stores plain text
passwords
Other LDAP servers store user passwords in plain text. Because of this,
these servers require the root LDAP user to log in to see these users. Use
these instructions to configure BIG-IP to authenticate to the server with the
root user identity before each user authentication.
1. Edit the /etc/login.conf file. Locate the lines at the top of the file
after the auth-bsdi-defaults type. Replace my-ldap-server with the
values from your LDAP configuration. Change ldap-user-bind to
no. The ldap-sever-user may not be required by your configuration.
If it is not, remove that line (see Figure 12.12).
ldap-defaults:auth=passwd:\
:auth-ssh=ldap,passwd:\
:ldap-server=my_ldap_server:\
:ldap-server-user=cn=Manager,dc=test,dc=net:\
:ldap-basedn=dc=test,dc=net:\
:ldap-user-bind=yes:
Figure 12.10 Example ldap-defaults settings for an LDAP server that
stores encrypted passwords
default:\
:path=/bin /usr/bin /usr/contrib/bin:\
:datasize-cur=16M:\
:tc=ldap-defaults:
Figure 12.11 Example default settings for an LDAP server that stores
encrypted passwords