For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

epaalx's avatar
epaalx
Icon for Cirrus rankCirrus
Mar 10, 2020

LDAPS for remote authentication, without certificate validation

Hi Experts,

our BIG-IP vCMP Host and Guest are using LDAP for administrative access authentication and I need to change to LDAPS. I don't want LDAP Server certificate validation because Active Directory administrators are likely to change this certificate (and its CA) without notice.

In "ldap system-auth" I see parameter "ssl" and "port" which are obvious, but am unsure if about "ssl-check-peer" and "ssl-ca-cert-file".

Is it enough to set "ssl-client-cert" to 'disabled' and leave "ssl-ca-cert-file" as 'none' to disable LDAP server certification validation whilst still enabling LDAPS?

R's, Alex

application delivery
BIG-IP

1 Reply

  • KeesvandenBos's avatar
    KeesvandenBos
    Icon for MVP rankMVP
    Mar 15, 2020

    Hi Alex,

     

    Yes it is. With ssl-peer-check disable the BIG-IP's won't verify the LDAPS server certificate.

     

    Cheers,

     

    Kees