Forum Discussion
SSL client certificate LDAP Authentication Question
Hi all
In a bid to try understand some of the lesser documented and possibly implemented features of LTM, I have been testing out the various authentication features LTM has to offer. I am at a point where one them - SSL client certificate LDAP authentication has left me a little stumped. I can get the feature to work at a basic level, that is, the client presents a certificate, the LTM extracts the username from the cert, performs bind to LDAP and authenticates the user successfully. What I wish to do now is ensure that the client is part of a specific AD group before granting permission to resources.
I believe the *Group Base DN* and *Valid Groups* settings are what I need to focus on. However, regardless of what I enter here, I cannot get this to work. My thinking is that the Group Base DN should contain a value similar to this:
CN=Sales,CN=Users,DC=company,DC=com
Where 'Sales' is an AD group the users I wish to authenticate are part of. I then add the keyword 'Sales' to the Valid Groups box, for a final config like so:
ltm auth ssl-cc-ldap LAB-SSL-LDAP-CONFIG {
admin-dn CN=Administrator,CN=Users,DC=lab,DC=com
admin-password
group-base CN=Sales,CN=Users,DC=lab,DC=com
servers { }
user-base CN=Users,DC=lab,DC=com
user-key sAMAccountName
valid-groups { Sales }
Yet, with this config it fails and the Wireshark trace I take doesn't actually provide much clue. In fact I can't even see the LTM attempt to query LDAP for the 'Sales' group.
Any idea on where I'm going wrong? Has anyone tried this out successfully?
Thanks
Cristian_Gal_12Nimbostratus
Check /var/log/secure for errors and use ldapsearch from CLI to see how LDAP gives you the group, after that adjust the profile.
Greetings, Is this the Remote-ClientCert LDAP option in the UI? I believe the first step is to make an OCSP call to validate the certificate revocation status.
If OCSP Override is enabled (the default), BIG-IP parses the SSL certificate for an OCSP responder, if off, BIG-IP follows the configured OCSP server.
OCSP Override Specifies whether the system uses the OCSP Responder to override the CA certificate to authenticate/authorize logon operations. The default is off.Kevin
Hello both
Thank you for your responses, and apologies for the way I formatted my original post. I have managed to get it to work. For those reading this in the future this is my final config:
ltm auth ssl-cc-ldap LAB-SSL-LDAP-CONFIG { admin-dn CN=Administrator,CN=Users,DC=lab,DC=com admin-password group-base CN=Sales,CN=Users,DC=lab,DC=com group-key sAMAccountName group-member-key member servers { } user-base CN=Users,DC=lab,DC=com user-key sAMAccountName valid-groups { Sales }As you can see from my original post I was missing some key attributes on the config, namely the Group Key and Group Member key attributes. Once I added these in it worked. I traced the flow using Wireshark and can see the LTM sending the search request to LDAP. If we take that request and try it manually using ldapsearch it gives back a positive result. That command for reference is:
ldapsearch -H ldap:// -x -b DC=lab,DC=com -D CN=Administrator,CN=Users,DC=lab,DC=com -w "(&(member=CN=,CN=Users,DC=lab,DC=com)(sAMAccountName=Sales))"
Thank you
