cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

LDAPS Monitor with Certificate Expiration

danielpenna
Cirrus
Cirrus

Hi Team,

 

I have been working with my AD team trying to resolve a problem where they forget to update a Domain Controller certificate and it expires and ADLDAPS queries fail since they dont bind to expired certificates. They have requested to see if we can drop a member out of the pool if the certificate is expired ( ie, not a valid SSL cert )

 

I have been messing with the LDAP Health monitor, turning on the Security settings, but I dont believe this would actually check that a certificate is valid or not. I know with server side SSL configuration you can enable SSL authentication but would just stop traffic from flow, not actually drop a member out of the pool.

 

Any ideas ?

 

3 REPLIES 3

MVA
Nimbostratus
Nimbostratus

Hi, we resolved this a few years back, if I recall, by enabling "Mandatory Attributes" in the health monitor. Test against an expired cert DC with this setting enabled/disabled.

 

mikeshimkus_111
Historic F5 Account

Hi danielpenna, I think you could use an iCall script to check for a valid cert and update the pool membership accordingly:

 

https://devcentral.f5.com/articles/icall-all-new-event-based-automation-system

 

https://devcentral.f5.com/codeshare?sid=288

 

danielpenna
Cirrus
Cirrus

Thanks Guys, will give Mel's solution a try since its the simplest. If that doesn't work, will give Mikes a go.

 

Will supply feedback on how I go.

 

Edit: Althought reading the context help on the F5 box, Mandatory attributes refer I think to the actual healthcheck returning proper LDAP attributes. I remember reading that the basic LDAP healthcheck doesnt request attributes, this must enforce that. Unsure how the expired cert checking fits in but will give it a go.

 

Mandatory Attributes Specifies whether the target must include attributes in its response to be considered up.

 

No: Specifies that the system performs only a one-level search (based on the Filter setting), and does not require that the target returns any attributes.

 

Yes: Specifies that the system performs a sub-tree search, and if the target returns no attributes, the target is considered down.