Forum Discussion

AlanTLR_151265's avatar
AlanTLR_151265
Icon for Nimbostratus rankNimbostratus
Apr 17, 2014

Need help configuring Active Directory for User Authentication WITH SSL

On our F5 BIG-IP LTM (running 10.2.1) We are able to get Active Directory user authentication without SSL to work, but are having trouble getting it to work correctly with SSL. I have a suspicion that this has to do with the keys. I've entered them and even imported them as trusted device certificates, but I am still unable to get them working correctly. Is there a specific format that they should be in? I've tried PKCS12, PKCS7, and DER.

auth ldap system-auth {
    bind-dn "cn=\"LDAP Account\",ou=\"Service ACC\",dc=my,dc=lovely,dc=com"
    bind-pw ********
    login-attribute samaccountname
    port ldaps
    search-base-dn dc=my,dc=lovely,dc=com
    servers { MYDC03.my.lovely.com }
    ssl enabled
    ssl-ca-cert-file /etc/keys/ca.cer
    ssl-client-cert /etc/keys/ldaps.crt
    ssl-client-key /etc/keys/ldaps.key
    user-template %s@my.lovely.com
}

*Names, passwords, and domains have been changed for security.

    • AlanTLR_151265's avatar
      AlanTLR_151265
      Icon for Nimbostratus rankNimbostratus
      We were able to verify with the ldapsearch command yesterday, but today am now getting other errors. > TLS trace: SSL_connect:before/connect initialization > TLS trace: SSL_connect:SSLv2/v3 write client hello A > TLS trace: SSL_connect:error in SSLv2/v3 read server hello A > TLS: can't connect. Makes me wonder if this is truly an issue with the keys now.
    • AlanTLR_151265's avatar
      AlanTLR_151265
      Icon for Nimbostratus rankNimbostratus
      We were able to verify with the ldapsearch command yesterday, but today am now getting other errors. > TLS trace: SSL_connect:before/connect initialization > TLS trace: SSL_connect:SSLv2/v3 write client hello A > TLS trace: SSL_connect:error in SSLv2/v3 read server hello A > TLS: can't connect. Makes me wonder if this is truly an issue with the keys now.
  • if your ldap server does not do client certificate authentication, can you try to remove client certificate and key in configuration?

    also, i understand ca certificate is not required (i.e. no server validation). can you try to remove ca certificate in configuration as well?

     config
    
    root@ve10(Active)(tmos) list sys global-settings
    sys global-settings {
        auth-source-type ldap
        gui-setup disabled
        hostname ve10.acme.com
        mgmt-dhcp disabled
    }
    root@ve10(Active)(tmos) list auth ldap
    auth ldap system-auth {
        bind-dn CN=administrator,CN=users,DC=abc,DC=com
        bind-pw password
        login-attribute samaccountname
        port ldaps
        search-base-dn CN=Users,DC=abc,DC=com
        servers { 200.200.200.103 }
        ssl enabled
    }
    
     /var/log/secure
    
    [root@ve10:Active] log  tail -f /var/log/secure
    Apr 18 17:20:16 local/ve10 alert httpd[3536]: pam_unix(httpd:account): could not identify user (from getpwnam(tasmania))
    Apr 18 17:20:16 local/ve10 notice httpd[3536]: 01070417:0: AUDIT - user tasmania - RAW: httpd(mod_auth_pam): user=tasmania(tasmania) partition=[All] level=Administrator tty=/usr/bin/tmsh host=192.168.206.176 attempts=1 start="Fri Apr 18 17:20:16 2014".
    
  • I had the AD admin re-create and re-create and re-issue the CA bundle and convert it to a CRT bundle. We removed the client key and the client certificate (as this is part of the CA bundle) and it started working! Thanks for all your help!