Forum Discussion
nick
Nimbostratus
NimbostratusF5 APM - Active Directory AAA profile and port 636 w/ SSL
As you probably already know, Microsoft is enforcing all LDAP binds to require a secure channel binding or LDAPS in March 2020. This means port 389 for LDAP queries will fail after the March Windows patch is deployed.
Our ActiveSync and OWA Exchange VIPs were deployed using the Exchange iApp and have Active Directory AAA profiles for access through the APM. I've looked through the profile settings and do not see where to change the port from 389 to 636. How do we force the Active Directory AAA profiles to use 636 with SSL?
Edit: Did see another post regarding this and found this article that states no changes are necessary for Active Directory profiles? https://support.f5.com/csp/article/K30054212
boneyardMVP
yes that is my understanding as well, if you use active directory as AAA server you should be fine.
WillCAltostratus
read this other thread: https://devcentral.f5.com/s/feed/0D51T000074cnXxSAI
the f5 article was incorrect and now taken down: https://support.f5.com/csp/article/K30054212 (feb 5 access shows page not available)
AD query in APM policy will generate unsigned insecure LDAP.
needs to be changed to LDAP query via port 636.
so if you use AD auth also, likely need to change that to LDAP auth via 636 as an ldap query wont work without ldap auth first.
- nmb-AskF5
Employee
We've restored the article in question, and will update it further when we have more complete information. I apologize for the inconvenience, and the poor experience while the link was broken.
- boneyard
there is not much in the article now, do you know when we can expect an update?
KinInvestigations are still on-going; an update has been posted in the article https://support.f5.com/csp/article/K30054212
- Kin
The article https://support.f5.com/csp/article/K30054212 has been updated after investigations
- boneyard
thank you Kin, great to see AD query should still be fine
