Forum Discussion
Remote User Management - LDAP Client Cert
Greetings,
My configuration is far simpler than yours, I'll post it below. For me, the ssldump output wasn't very helpful. I used both the /var/log/httpd/httpd_errors and /var/log/secure logs to troubleshoot.BIG-IP config:
list sys httpd
sys httpd {
ssl-ca-cert-file /Common/bigip_ca
ssl-ocsp-default-responder http://172.24.171.29:2345
ssl-ocsp-enable on
ssl-ocsp-override-responder on
ssl-verify-client require
}
list auth cert-ldap
auth cert-ldap system-auth {
bind-dn cn=admin,dc=ldap,dc=test,dc=net
bind-pw $M$nq$CDOcADlm/Mkwy8MIU1/eLg==
login-attribute uid
login-filter "[a-z]{5}"
login-name cn
search-base-dn ou=People,dc=ldap,dc=test,dc=net
servers { 172.24.171.2 }
sso on
}
LDAP entry:
kevin, People, ldap.test.net
dn: uid=kevin,ou=People,dc=ldap,dc=test,dc=net
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: kevin
cn: kevin
displayName: kevin
SSL certificate:
Subject: C=US, ST=Washington, L=Seattle, O=Example, OU=Example BIGIP Admins, CN=kevin
Hope this is helpful!
KevinThank you Kevin. It is now working. The 4 issues that I think bit me are below.
- In my lab environment I did not add OCSP to the AIA extension of the CA. I reissued cert once added and then ran certutil -URL path\dev.cer. Validated the certificate against my OCSP responder.
- Imported CA cert in PEM format. (Base64)
- Configured OCSP override on the BIG-IP client-cert ldap config.
- Enabled Nonce support on my OCSP responder.
Unfortunately my frustration let me to modify all four without trying to determine which of the actually resolved it. None the less, thank you for taking the time to respond to my question. Your input is greatly appreciated.
- malexanderJan 02, 2025
Nimbostratus
Long ago post but I wanted to comment that after a very frustrating week of working with this I found the openssl ocsp man page response verification requires the issuer of the response is also the issuer of the certificate. So if you overload a heirarchy with just the one OCSP responder it could never pass. From their page you can run openssl to create a new PEM that has trusted extensions for the issuer of the OCSP responder.
openssl x509 -in ocspCA.pem -addtrust OCSPSigning -out trustedCA.pem
And F5 / LTM will not do the LDAP authentication with the ssl-ocsp-enable set to "off" It will just skip the LDAP lookup.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com