Forum Discussion
NimbostratusSSL Client certificate LDAP authentication
I'd like to configure the BIG-IP LTM to authenticate some clients using LDAP authentication.
That Clients have a SSL client certificate. This certificate is made from private CA on OpenSSL.
I've tried below settings.
----------------------------------------------------
■Virtual Server
port : tcp443
SSL Profile(Client) : PRF.SSLClient
Authentication Profiles : prf.auth.ldap
■SSL Profile(Client) : PRF.SSLClient
Certificate : My server certificate
Key : My server key
Trusted Certification Authorities : root certificate of my private CA
Client Certificate : require
Certificate Chain Traversal Depth : 1
Advertised Certificate Authorities : root certificate of my private CA
■Profile Authentication : Configuration
Name : auth.ldap
Type : SSL Client Certificate LDAP
Host : My LDAP Server IP address
Search Type : User
User Base DN : ou=People,dc=f5,dc=com
User Key : uid
■Profile Authentication : Authentication
Name : prf.auth.ldap
Type : SSL Client Certificate LDAP
Parent Profile : ssl_cc_ldap
Configuration : auth.ldap
----------------------------------------------------
When I took some capture data on BIG-IP LTM, LDAP server returned correct responses (ex. result code : success(0))
So I think LDAP server seems not to causes this status. But the client HTTPS accesse returned the error page.
This error pages showed these connections reset.
Could you tell me how can I work arround this status.. ?
6 Replies
hoolioCirrostratus
Hi Ko,
What error does the client receive? Are you testing with a cert that the LDAP server shows is valid?
Aaron
ko_48793Thank you, Aaron.
After the client sent a ssl client certificate, The client receives fin packet sent by BIG-IP.
I don't put cert on LDAP server. Does LDAP client authentication need cert on LDAP Server?- Kevin_Stewart
Employee
If you're seeing an LDAP query then you've made it past the SSL handshake. In your capture, you should see the successful bind, then the request (query), and a response. The response should show a returned value for the given query, not just success(0). If the LDAP query doesn't return a value, ACA shuts down the connection.
The certificate LDAP mechanism in ACA is wired to extract and match the certificate CN to the LDAP/AD attribute that you specify. - ko_48793Thanks, Stewart.
The LDAP response value has the objectName, such a data like "uid = user1, ou=People, dc=f5, dc=com".
Then the CN value of Client cert is "user1", and LDAP request is "ou=People, dc=f5, dc=com" with "Filter (uid=user1)".
As I saw the web manage view, the statistics "Handshake Failures" of client SSL profile counted up.
Shoud I think it's error on accelarating client cert? - ko_48793
Thanks, Stewart.
The LDAP response value has the objectName, such a data like "uid = user1, ou=People, dc=f5, dc=com".
Then the CN value of Client cert is "user1", and LDAP request is "ou=People, dc=f5, dc=com" with "Filter (uid=user1)".
As I saw the web manage view, the statistics "Handshake Failures" of client SSL profile counted up.
Shoud I think it's error on accelarating client cert? - Kevin_StewartWhile there may be an issue with your client SSL profile, the fact that you're getting to the LDAP query means that you're successfully negotiating. Do you have a server SSL profile? Are there any logs generated other than the stats counter? Do you see any traffic leave the BIG-IP headed for the server?
