Forum Discussion
Dev_56330
Cirrus
CirrusRemote User Management - LDAP Client Cert
Has anyone successfully deployed LDAP using client cert authentication to the BIG-IP TMUI? I see the guide though it is not very intuitive so I was curious if anyone would be willing to share their ...
Greetings,
My configuration is far simpler than yours, I'll post it below. For me, the ssldump output wasn't very helpful. I used both the /var/log/httpd/httpd_errors and /var/log/secure logs to troubleshoot.BIG-IP config:
list sys httpd
sys httpd {
ssl-ca-cert-file /Common/bigip_ca
ssl-ocsp-default-responder http://172.24.171.29:2345
ssl-ocsp-enable on
ssl-ocsp-override-responder on
ssl-verify-client require
}
list auth cert-ldap
auth cert-ldap system-auth {
bind-dn cn=admin,dc=ldap,dc=test,dc=net
bind-pw $M$nq$CDOcADlm/Mkwy8MIU1/eLg==
login-attribute uid
login-filter "[a-z]{5}"
login-name cn
search-base-dn ou=People,dc=ldap,dc=test,dc=net
servers { 172.24.171.2 }
sso on
}
LDAP entry:
kevin, People, ldap.test.net
dn: uid=kevin,ou=People,dc=ldap,dc=test,dc=net
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: kevin
cn: kevin
displayName: kevin
SSL certificate:
Subject: C=US, ST=Washington, L=Seattle, O=Example, OU=Example BIGIP Admins, CN=kevin
Hope this is helpful!
KevinDefintely SSL related. So, a few SSL related things I ran into:
1) Ensure the OCSP service up and reachable.
2) Ensure you are using SHA256 for signing.
3) Ensure the CA cert has the "extendedKeyUsage = OCSPSigning" extension.
4) Ensure the CA cert is in the certificate database. httpd checks the CA cert first for some reason.
Hope these points offer some help!
Kevin