Forum Discussion
jgabel_43098
Nimbostratus
Nimbostratusclient ssl, F5 and ldap integration
Please bear with me all you network tech heads as I am not a network guy, but rather a infosec guy, so I have no experience running F5 appliances.
I am wondering if anyone has successfully setup a F5 with ldap(eDirectory) and client ssl certs using "certificate map". If so can you explain with any detail how it works? We are trying to set it up but don't quite understand how it is supposed to work. We have a client ssl cert in a browser, connects to a vip on the F5 that goes to two backend webservers. For now we are just testing hitting the default webserver static web page which is good enough for testing as our concern isn't the web apps, but rather the ldap(eDirectory) integration with F5. Our network folks have tried different configurations and can get the "user" option to work, but that works even if we don't store the client cert(public key only copy since the end client/browser has the private key) in the directory attached to the user account.
We tried to use certificate map instead, but we just don't understand how it works and what is appropropriate to put in the "Certificate Map Key" field. We tried "cn", and that appears to work, but once again, we don't have to store the cert in the directory and it will still appear to work.
In summary, what we want to do is this. User connects with client cert, the F5 connects to ldap(eDirectory) and checks to see if the user is present and the cert(the copy with just the public key) is attached to the account. If either is missing, it should reject the connection. If they are present, it should allow it.
So if anyone has any advice on how it supposed to work or how we can get it to work, it would be greatly appreciated it. Do we need a custom iRule? Is this not the F5 works with these things? Just looking for some answers.
Thanks!!!
3 Replies
James_ThomsonEmployee
Is this what you're trying to accomplish?
http://www.f5.com/solutions/technology/clientauthentication_wp.html
Is the BIG-IP licensed with the Advanced Client Authentication (ACA) Module?
Have you looked at this?
https://tech.f5.com/home/bigip-next/manuals/bigip9_4/bigip9_4implementation/BIG-IP_9_4_Implementation_Gd-25-1.htmlwp1022039
jgabel_43098Yes that is sort of what we want to do.
The problem centers around the Search Type option. We tried "User", but that doesn't do exactly what the F5 description says. The description say that the F5 will look for the user in ldap and if there is a client cert with that user then they are authenticated. We found that even without a cert attached to the user, the F5 considers them authenticated. So basically it doesn't work the way they say it does. All it cares, is if there is a valid username in the directory that matches what is on the incoming cert, that your good to go. That is not adequate in our opinion.
So next we wanted to try "Certificate Map" type. Unfortunately we have no idea what the "Certificate Map Key" field is supposed to contain, and scouring googe, novell and F5 sites we haven't been able to find out any information on how to make it work using the "certificate map" type.
The third option is certificate, but that too is confusing as we don't necessarily know what goes in some of the extra fields it presents and we can't find anything online to guide us in that area either.
So we're trying to find information online or through forums, find people who have successfully done this sort of thing.
I'll read through the docs you provided though and see if I can gleam anything new. Thanks.
Juerg_WiesmannUsing the Certificate Option it will check to find the Certificate within the LDAP Directory.
For sure it has to be there..
Check the online Help or do TCPDumps to find the Querys sent to the LDAP and compare them with the responses you get and you will find it. One thing to add here. Searching for the whole Certificate will put quite a bit of load onto the LDAP Directory. So please make sure it is capable of handling these Requests.
Kind Regards
Wiesmann
