Forum Discussion

JLeMoal's avatar
JLeMoal
Icon for Nimbostratus rankNimbostratus
Nov 18, 2015

CRLDP Authentication : CRL lookup failed

Hi F5 community,

 

I'm trying to use CRLDP Authentication on BigIP APM (12.0.0). This is for an ActivSync access with Certification credentials (Kerberos method). Everything works before adding CRLDP auth : Credentials are extracted from with client Certificat and used for Kerberos authentication. I have access to my emails. That part is great.

 

As far as CRLDP concerned, I followed this configuration process : https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-on-12-0-0/16.print.html. To resum, I created the CRLDP AAA server and I associated to my access policy.

 

And it's not working : reason 'No valid host found' CRL lookup failed for LDAP url. And I'm not surprised because I know that a user account is required to access my LDAP. Thing is I don't know how or where to configure it.

 

Somebody's got a clue ?

 

Cheers, Julien

 

  • The error you're getting is most likely not because of authentication. Do your client certificates have a CRLDP x.509 extension in them? And if so do they point to the correct URL? APM has supported HTTP-based CRLDP for a few versions now and frankly that's the better and simpler way to go if you can do it.

     

    As for requiring authenticated LDAP, it generally doesn't make sense to do that for CRLDP (or any revocation data) resources. While it technically can be done (adding bind information to an LDAP request) via iRules and some magical VIP targeting, it isn't natively supported in the config.

     

  • Hi Kevin, Thanks for the answer.

     

    Yes my client certificates have CRLDP x.509 extension and it's pointing to the correct url. But I understand this isn't maybe the easiest (smartest?) way to do it.

     

    I'll take your advice with HTTP-based CRLDP method, I'll try it. And I'll get back to this article if needed.

     

  • Hi Kevin, Thanks for the answer.

     

    Yes my client certificates have CRLDP x.509 extension and it's pointing to the correct url. But I understand this isn't maybe the easiest (smartest?) way to do it.

     

    I'll take your advice with HTTP-based CRLDP method, I'll try it. And I'll get back to this article if needed.