Forum Discussion
NimbostratusRemote - ClientCert LDAP Bugs on 11.5
Has anyone been able to configure Remote - ClientCert LDAP on 11.5? I found out this process was broken on 11.3 and seems to remain broken. I've managed to configure LDAP without a problem but I would like to secure the portal even further. I've been following the documentation here: http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/tmos-implementations-11-5-0/27.html?sr=36282773
Bug 1: Host field does not accept IP Address (I can get around it by configuring DNS or the hosts file
Bug 2: Apache Certificate List does not accept a list of certificates (this is new on 11.5). Only one must be uploaded at one time. This list is important because it tells the user which certificates are acceptable for authentication. When uploading a list with name "allcertificates" produces error below:
01070712:3: Values (/Common/allcertificates) specified for Certificate Bundle Entity (/Common/allcertificates.0 /Common/allcertificates): foreign key index (certificate_file_object_FK) do not point at an item that exists in the database.
With these bugs I was still able to create what I presume is a proper configuration; however it does not work. I am matching a 10 digit value within the certificate CN with the sAMAccountName on Active Directory. Some of my settings are below:
- CA Certificate: (Bug 2) I only choose the Root CA
- Login Name: CN
- Login LDAP Attribute: sAMAccountName
- Login Filter: \d{10} or hardcode 10 digit number
- Depth: Default (10)
- OCSP: off
Result: SSL Connection Error
Any guidance on the Remote - ClientCert LDAP configuration or any working configurations that you can share with me will be very helpful. Note that incorrect configuration will prevent you from login on so please make sure you have a backup or snapshot.
4 Replies
- MichaelatF5
Employee
First, just a note, when you get locked out testing this solution, you can use: tmsh modify auth cert-ldap system-auth sso off
This will let you log back in using admin.
Next, there are some bugs being tracked with this configuration. You can try to configure using TMSH in the interim. Below were the settings I had to use to accomplish this using TMSH on 11.4. I am configuring this now in 11.5.1 and will update as I discover more.
Note: You absolutely HAVE to have a remote role group configured.
Note 2: If using Windows OCSP, enable NONCE.
Note 3: You, currently, absolutely HAVE to use OCSP.
auth cert-ldap system-auth { bind-dn "CN=LDAP Query,OU=Service Accounts,DC=alpha,DC=domain,DC=local" bind-pw $M$zk$MD/aIzNEVYJyFuwhtuZz/Q== check-roles-group enabled login-attribute sAMAccountName login-filter [a-zA-Z0-9]\\w*(\?=@) login-name altSubjectName=Othername search-base-dn DC=alpha,DC=domain,DC=local servers { xxx.xxx.3.22 } sso on } auth ldap system-auth { bind-dn "CN=LDAP Query,OU=Service Accounts,DC=alpha,DC=domain,DC=local" bind-pw $M$zk$MD/aIzNEVYJyFuwhtuZz/Q== check-roles-group enabled login-attribute sAMAccountName search-base-dn DC=alpha,DC=domain,DC=local servers { xxx.xxx.3.22 } user-template %s@ALPHA.DOMAIN.LOCAL } sys httpd { allow { All } auth-name BIG-IP auth-pam-dashboard-timeout off auth-pam-idle-timeout 1200 auth-pam-validate-ip on description none fastcgi-timeout 300 hostname-lookup off include none log-level warn max-clients 10 redirect-http-to-https disabled request-body-max-timeout 0 request-body-min-rate 500 request-body-timeout 60 request-header-max-timeout 40 request-header-min-rate 500 request-header-timeout 20 ssl-ca-cert-file /Common/COLEHOME_CA_Chain ssl-certchainfile none ssl-certfile /etc/httpd/conf/ssl.crt/server.crt ssl-certkeyfile /etc/httpd/conf/ssl.key/server.key ssl-ciphersuite ALL:!ADH:!EXPORT:!eNULL:!MD5:!DES:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2 ssl-include none ssl-ocsp-default-responder http://192.168.3.22/ocsp ssl-ocsp-enable on ssl-ocsp-override-responder on ssl-ocsp-response-max-age -1 ssl-ocsp-response-time-skew 300 ssl-verify-client require ssl-verify-depth 10 } - MichaelatF5
There are some bugs in 11.5. I have tested this in 11.6 and it works with a caveat that we are trying to resolve now. The Login-Value only seems to pull Subject, and only supports a single value CN. So if you are pulling Subject/emailAddress=user@domain.com to validate your users against userPrincipalName, that works fine.
I would also recommend the following:
- Make sure all certs are in PEM format. I had issue with DER and Base64.
- You don't really need the Chain CA cert, my config worked with nothing there.
- Do a TCP Capture on the internal side, or the network OCSP is processing on and the network LDAP is using, so you can see the OCSP and LDAP requests go out and ensure everything is in the proper format. You should see an OCSP request return OK, or if not OK something like Unauthorized (6). With LDAP you will see the query SearchRequest for userPrincipalName=user@domain.com or (login-attribute)=(login-value).
- The bugs you listed can be worked around by updating the config via tmsh.
- Be sure to submit a ticket for any issues, and post the case numbers. I can add them to existing bugs we are working internally.
Michael C
Jose_01_133106Thank you Michael, I will give it another try once I get access to 11.6. It does not seem available from the downloads website. I will update the post once I get a chance a to test it.
- MichaelatF5
11.6 is tentatively set to be released August/September time frame. Contact your account team for instructions on how to sign up for Early Access if this is a critical feature for you.
