Forum Discussion
Remote User Management - LDAP Client Cert
Greetings,
My configuration is far simpler than yours, I'll post it below. For me, the ssldump output wasn't very helpful. I used both the /var/log/httpd/httpd_errors and /var/log/secure logs to troubleshoot.BIG-IP config:
list sys httpd
sys httpd {
ssl-ca-cert-file /Common/bigip_ca
ssl-ocsp-default-responder http://172.24.171.29:2345
ssl-ocsp-enable on
ssl-ocsp-override-responder on
ssl-verify-client require
}
list auth cert-ldap
auth cert-ldap system-auth {
bind-dn cn=admin,dc=ldap,dc=test,dc=net
bind-pw $M$nq$CDOcADlm/Mkwy8MIU1/eLg==
login-attribute uid
login-filter "[a-z]{5}"
login-name cn
search-base-dn ou=People,dc=ldap,dc=test,dc=net
servers { 172.24.171.2 }
sso on
}
LDAP entry:
kevin, People, ldap.test.net
dn: uid=kevin,ou=People,dc=ldap,dc=test,dc=net
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: kevin
cn: kevin
displayName: kevin
SSL certificate:
Subject: C=US, ST=Washington, L=Seattle, O=Example, OU=Example BIGIP Admins, CN=kevin
Hope this is helpful!
Kevin- Dev_56330Jan 18, 2018
Cirrus
I have continued to look at the httpd logs though below is all I get.
Jan 18 05:42:05 ip-10-10-10-10 err httpd[5837]: [error] [client 10.1.20.25] Re-negotiation handshake failed: Not accepted by client!?, referer: https://bigip1.ad.lab/xui/ Jan 18 05:42:06 ip-10-10-10-10 err httpd[5837]: [error] [client 10.1.20.25] Re-negotiation handshake failed: Not accepted by client!?, referer: https://bigip1.ad.lab/tmui/Control/form?__handler=/tmui/system/user/authconfig&__source=finished&__linked=false&__fromError=false Jan 18 05:42:06 ip-10-10-10-10 err httpd[5837]: [error] [client 10.1.20.25] Re-negotiation handshake failed: Not accepted by client!?, referer: https://bigip1.ad.lab/tmui/Control/form?__handler=/tmui/system/user/authconfig&__source=finished&__linked=false&__fromError=false Jan 18 05:42:06 ip-10-10-10-10 err httpd[5837]: [error] [client 10.1.20.25] Re-negotiation handshake failed: Not accepted by client!?, referer: https://bigip1.ad.lab/tmui/Control/form?__handler=/tmui/system/user/authconfig&__source=finished&__linked=false&__fromError=false
- Kevin_K_51432Jan 18, 2018Historic F5 Account
Defintely SSL related. So, a few SSL related things I ran into:
1) Ensure the OCSP service up and reachable. 2) Ensure you are using SHA256 for signing. 3) Ensure the CA cert has the "extendedKeyUsage = OCSPSigning" extension. 4) Ensure the CA cert is in the certificate database. httpd checks the CA cert first for some reason.
Hope these points offer some help!
Kevin - Dev_56330Jan 18, 2018
Cirrus
Thank you Kevin. It is now working. The 4 issues that I think bit me are below.
- In my lab environment I did not add OCSP to the AIA extension of the CA. I reissued cert once added and then ran certutil -URL path\dev.cer. Validated the certificate against my OCSP responder.
- Imported CA cert in PEM format. (Base64)
- Configured OCSP override on the BIG-IP client-cert ldap config.
- Enabled Nonce support on my OCSP responder.
Unfortunately my frustration let me to modify all four without trying to determine which of the actually resolved it. None the less, thank you for taking the time to respond to my question. Your input is greatly appreciated.
- malexanderJan 02, 2025
Nimbostratus
Long ago post but I wanted to comment that after a very frustrating week of working with this I found the openssl ocsp man page response verification requires the issuer of the response is also the issuer of the certificate. So if you overload a heirarchy with just the one OCSP responder it could never pass. From their page you can run openssl to create a new PEM that has trusted extensions for the issuer of the OCSP responder.
openssl x509 -in ocspCA.pem -addtrust OCSPSigning -out trustedCA.pem
And F5 / LTM will not do the LDAP authentication with the ssl-ocsp-enable set to "off" It will just skip the LDAP lookup.
- Kevin_K_51432Jan 18, 2018Historic F5 Account
I'm really happy to hear this is working for you and congratulations, this was no easy feat! =)
Thanks also for letting us know.
Kevin
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com