For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

danielpenna's avatar
danielpenna
Icon for Cirrus rankCirrus
Oct 06, 2015

LDAPS Monitor with Certificate Expiration

Hi Team,

 

I have been working with my AD team trying to resolve a problem where they forget to update a Domain Controller certificate and it expires and ADLDAPS queries fail since they dont bind to expired certificates. They have requested to see if we can drop a member out of the pool if the certificate is expired ( ie, not a valid SSL cert )

 

I have been messing with the LDAP Health monitor, turning on the Security settings, but I dont believe this would actually check that a certificate is valid or not. I know with server side SSL configuration you can enable SSL authentication but would just stop traffic from flow, not actually drop a member out of the pool.

 

Any ideas ?

 

application delivery
availability
deployment
LTM
microsoft
monitor

4 Replies

  • MVA's avatar
    MVA
    Icon for Nimbostratus rankNimbostratus
    Oct 06, 2015

    Hi, we resolved this a few years back, if I recall, by enabling "Mandatory Attributes" in the health monitor. Test against an expired cert DC with this setting enabled/disabled.

     

  • danielpenna's avatar
    danielpenna
    Icon for Cirrus rankCirrus
    Oct 06, 2015

    Thanks Guys, will give Mel's solution a try since its the simplest. If that doesn't work, will give Mikes a go.

     

    Will supply feedback on how I go.

     

    Edit: Althought reading the context help on the F5 box, Mandatory attributes refer I think to the actual healthcheck returning proper LDAP attributes. I remember reading that the basic LDAP healthcheck doesnt request attributes, this must enforce that. Unsure how the expired cert checking fits in but will give it a go.

     

    Mandatory Attributes Specifies whether the target must include attributes in its response to be considered up.

     

    No: Specifies that the system performs only a one-level search (based on the Filter setting), and does not require that the target returns any attributes.

     

    Yes: Specifies that the system performs a sub-tree search, and if the target returns no attributes, the target is considered down.

     

    • SlipperyPete's avatar
      SlipperyPete
      Icon for Nimbostratus rankNimbostratus
      Jul 18, 2023

      Hi Daniel, interested to know how you went with this testing (if you remember back to 2015!). I am currently setting up a similar test for the same issue.