Forum Discussion
AlanTLR_151265
Nimbostratus
NimbostratusNeed help configuring Active Directory for User Authentication WITH SSL
On our F5 BIG-IP LTM (running 10.2.1) We are able to get Active Directory user authentication without SSL to work, but are having trouble getting it to work correctly with SSL. I have a suspicion that this has to do with the keys. I've entered them and even imported them as trusted device certificates, but I am still unable to get them working correctly. Is there a specific format that they should be in? I've tried PKCS12, PKCS7, and DER.
auth ldap system-auth {
bind-dn "cn=\"LDAP Account\",ou=\"Service ACC\",dc=my,dc=lovely,dc=com"
bind-pw ********
login-attribute samaccountname
port ldaps
search-base-dn dc=my,dc=lovely,dc=com
servers { MYDC03.my.lovely.com }
ssl enabled
ssl-ca-cert-file /etc/keys/ca.cer
ssl-client-cert /etc/keys/ldaps.crt
ssl-client-key /etc/keys/ldaps.key
user-template %s@my.lovely.com
}
*Names, passwords, and domains have been changed for security.
nitass_89166Noctilucent
have you done verification part in sol11072?
sol11072: Configuring LDAP remote authentication for Active Directory
http://support.f5.com/kb/en-us/solutions/public/11000/000/sol11072.html
AlanTLR_151265We were able to verify with the ldapsearch command yesterday, but today am now getting other errors. > TLS trace: SSL_connect:before/connect initialization > TLS trace: SSL_connect:SSLv2/v3 write client hello A > TLS trace: SSL_connect:error in SSLv2/v3 read server hello A > TLS: can't connect. Makes me wonder if this is truly an issue with the keys now.
- nitass
Employee
have you done verification part in sol11072?
sol11072: Configuring LDAP remote authentication for Active Directory
http://support.f5.com/kb/en-us/solutions/public/11000/000/sol11072.html- AlanTLR_151265We were able to verify with the ldapsearch command yesterday, but today am now getting other errors. > TLS trace: SSL_connect:before/connect initialization > TLS trace: SSL_connect:SSLv2/v3 write client hello A > TLS trace: SSL_connect:error in SSLv2/v3 read server hello A > TLS: can't connect. Makes me wonder if this is truly an issue with the keys now.
- nitass
if your ldap server does not do client certificate authentication, can you try to remove client certificate and key in configuration?
also, i understand ca certificate is not required (i.e. no server validation). can you try to remove ca certificate in configuration as well?
config root@ve10(Active)(tmos) list sys global-settings sys global-settings { auth-source-type ldap gui-setup disabled hostname ve10.acme.com mgmt-dhcp disabled } root@ve10(Active)(tmos) list auth ldap auth ldap system-auth { bind-dn CN=administrator,CN=users,DC=abc,DC=com bind-pw password login-attribute samaccountname port ldaps search-base-dn CN=Users,DC=abc,DC=com servers { 200.200.200.103 } ssl enabled } /var/log/secure [root@ve10:Active] log tail -f /var/log/secure Apr 18 17:20:16 local/ve10 alert httpd[3536]: pam_unix(httpd:account): could not identify user (from getpwnam(tasmania)) Apr 18 17:20:16 local/ve10 notice httpd[3536]: 01070417:0: AUDIT - user tasmania - RAW: httpd(mod_auth_pam): user=tasmania(tasmania) partition=[All] level=Administrator tty=/usr/bin/tmsh host=192.168.206.176 attempts=1 start="Fri Apr 18 17:20:16 2014". - AlanTLR_151265
I had the AD admin re-create and re-create and re-issue the CA bundle and convert it to a CRT bundle. We removed the client key and the client certificate (as this is part of the CA bundle) and it started working! Thanks for all your help!