Forum Discussion
danielpenna
Cirrus
CirrusLDAPS Monitor with Certificate Expiration
Hi Team,
I have been working with my AD team trying to resolve a problem where they forget to update a Domain Controller certificate and it expires and ADLDAPS queries fail since they dont bind to expired certificates. They have requested to see if we can drop a member out of the pool if the certificate is expired ( ie, not a valid SSL cert )
I have been messing with the LDAP Health monitor, turning on the Security settings, but I dont believe this would actually check that a certificate is valid or not. I know with server side SSL configuration you can enable SSL authentication but would just stop traffic from flow, not actually drop a member out of the pool.
Any ideas ?
MVANimbostratus
Hi, we resolved this a few years back, if I recall, by enabling "Mandatory Attributes" in the health monitor. Test against an expired cert DC with this setting enabled/disabled.
Hi danielpenna, I think you could use an iCall script to check for a valid cert and update the pool membership accordingly:
https://devcentral.f5.com/articles/icall-all-new-event-based-automation-system
https://devcentral.f5.com/codeshare?sid=288
danielpennaThanks Guys, will give Mel's solution a try since its the simplest. If that doesn't work, will give Mikes a go.
Will supply feedback on how I go.
Edit: Althought reading the context help on the F5 box, Mandatory attributes refer I think to the actual healthcheck returning proper LDAP attributes. I remember reading that the basic LDAP healthcheck doesnt request attributes, this must enforce that. Unsure how the expired cert checking fits in but will give it a go.
Mandatory Attributes Specifies whether the target must include attributes in its response to be considered up.
No: Specifies that the system performs only a one-level search (based on the Filter setting), and does not require that the target returns any attributes.
Yes: Specifies that the system performs a sub-tree search, and if the target returns no attributes, the target is considered down.
SlipperyPeteHi Daniel, interested to know how you went with this testing (if you remember back to 2015!). I am currently setting up a similar test for the same issue.
