I have been working with my AD team trying to resolve a problem where they forget to update a Domain Controller certificate and it expires and ADLDAPS queries fail since they dont bind to expired certificates. They have requested to see if we can drop a member out of the pool if the certificate is expired ( ie, not a valid SSL cert )
I have been messing with the LDAP Health monitor, turning on the Security settings, but I dont believe this would actually check that a certificate is valid or not. I know with server side SSL configuration you can enable SSL authentication but would just stop traffic from flow, not actually drop a member out of the pool.
Any ideas ?
Hi danielpenna, I think you could use an iCall script to check for a valid cert and update the pool membership accordingly:
Thanks Guys, will give Mel's solution a try since its the simplest. If that doesn't work, will give Mikes a go.
Will supply feedback on how I go.
Edit: Althought reading the context help on the F5 box, Mandatory attributes refer I think to the actual healthcheck returning proper LDAP attributes. I remember reading that the basic LDAP healthcheck doesnt request attributes, this must enforce that. Unsure how the expired cert checking fits in but will give it a go.
Mandatory Attributes Specifies whether the target must include attributes in its response to be considered up.
No: Specifies that the system performs only a one-level search (based on the Filter setting), and does not require that the target returns any attributes.
Yes: Specifies that the system performs a sub-tree search, and if the target returns no attributes, the target is considered down.