Forum Discussion

Dev_56330's avatar
Dev_56330
Icon for Cirrus rankCirrus
Jan 15, 2018

Remote User Management - LDAP Client Cert

Has anyone successfully deployed LDAP using client cert authentication to the BIG-IP TMUI? I see the guide though it is not very intuitive so I was curious if anyone would be willing to share their ...
application delivery
BIG-IP
TMSH
Kevin_K_51432's avatar
Kevin_K_51432
Historic F5 Account
Jan 18, 2018

Greetings,

My configuration is far simpler than yours, I'll post it below. For me, the ssldump output wasn't very helpful. I used both the /var/log/httpd/httpd_errors and /var/log/secure logs to troubleshoot. 
BIG-IP config:

 list sys httpd
sys httpd {
    ssl-ca-cert-file /Common/bigip_ca
    ssl-ocsp-default-responder http://172.24.171.29:2345
    ssl-ocsp-enable on
    ssl-ocsp-override-responder on
    ssl-verify-client require
}


 list auth cert-ldap
auth cert-ldap system-auth {
    bind-dn cn=admin,dc=ldap,dc=test,dc=net
    bind-pw $M$nq$CDOcADlm/Mkwy8MIU1/eLg==
    login-attribute uid
    login-filter "[a-z]{5}"
    login-name cn
    search-base-dn ou=People,dc=ldap,dc=test,dc=net
    servers { 172.24.171.2 }
    sso on
}

LDAP entry:

 kevin, People, ldap.test.net
dn: uid=kevin,ou=People,dc=ldap,dc=test,dc=net
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: kevin
cn: kevin
displayName: kevin


SSL certificate:

Subject: C=US, ST=Washington, L=Seattle, O=Example, OU=Example BIGIP Admins, CN=kevin

Hope this is helpful!

Kevin
Dev_56330's avatar
Dev_56330
Icon for Cirrus rankCirrus
Jan 18, 2018

I have continued to look at the httpd logs though below is all I get.

Jan 18 05:42:05 ip-10-10-10-10 err httpd[5837]: [error] [client 10.1.20.25] Re-negotiation handshake failed: Not accepted by client!?, referer: https://bigip1.ad.lab/xui/
Jan 18 05:42:06 ip-10-10-10-10 err httpd[5837]: [error] [client 10.1.20.25] Re-negotiation handshake failed: Not accepted by client!?, referer: https://bigip1.ad.lab/tmui/Control/form?__handler=/tmui/system/user/authconfig&__source=finished&__linked=false&__fromError=false
Jan 18 05:42:06 ip-10-10-10-10 err httpd[5837]: [error] [client 10.1.20.25] Re-negotiation handshake failed: Not accepted by client!?, referer: https://bigip1.ad.lab/tmui/Control/form?__handler=/tmui/system/user/authconfig&__source=finished&__linked=false&__fromError=false
Jan 18 05:42:06 ip-10-10-10-10 err httpd[5837]: [error] [client 10.1.20.25] Re-negotiation handshake failed: Not accepted by client!?, referer: https://bigip1.ad.lab/tmui/Control/form?__handler=/tmui/system/user/authconfig&__source=finished&__linked=false&__fromError=false