Forum Discussion
LDAPS Monitor with Certificate Expiration
Hi Team,
I have been working with my AD team trying to resolve a problem where they forget to update a Domain Controller certificate and it expires and ADLDAPS queries fail since they dont bind to expired certificates. They have requested to see if we can drop a member out of the pool if the certificate is expired ( ie, not a valid SSL cert )
I have been messing with the LDAP Health monitor, turning on the Security settings, but I dont believe this would actually check that a certificate is valid or not. I know with server side SSL configuration you can enable SSL authentication but would just stop traffic from flow, not actually drop a member out of the pool.
Any ideas ?
- danielpennaCirrus
Thanks Guys, will give Mel's solution a try since its the simplest. If that doesn't work, will give Mikes a go.
Will supply feedback on how I go.
Edit: Althought reading the context help on the F5 box, Mandatory attributes refer I think to the actual healthcheck returning proper LDAP attributes. I remember reading that the basic LDAP healthcheck doesnt request attributes, this must enforce that. Unsure how the expired cert checking fits in but will give it a go.
Mandatory Attributes Specifies whether the target must include attributes in its response to be considered up.
No: Specifies that the system performs only a one-level search (based on the Filter setting), and does not require that the target returns any attributes.
Yes: Specifies that the system performs a sub-tree search, and if the target returns no attributes, the target is considered down.
- SlipperyPeteNimbostratus
Hi Daniel, interested to know how you went with this testing (if you remember back to 2015!). I am currently setting up a similar test for the same issue.
- mikeshimkus_111Historic F5 Account
Hi danielpenna, I think you could use an iCall script to check for a valid cert and update the pool membership accordingly:
https://devcentral.f5.com/articles/icall-all-new-event-based-automation-system
https://devcentral.f5.com/codeshare?sid=288
- MVANimbostratus
Hi, we resolved this a few years back, if I recall, by enabling "Mandatory Attributes" in the health monitor. Test against an expired cert DC with this setting enabled/disabled.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com