CirrusLDAPS vip - how to?
based on these two articles -
https://relevantsecurity.wordpress.com/2021/04/11/ldap-channel-binding-and-load-balanced-vips/
https://support.f5.com/csp/article/K05648102
It seems MS hardening has made it difficult to load balance ldaps.
In my cyurrent setup when I have both a client and server ssl cert in the virtual server, ldp.exe can connect successfully, but when I try and bind I get the error:
Server error: 80090346: LdapErr: DSID-0C09058A, comment: AcceptSecurityContext error, data 80090346, v4563
Error 0x80090346 Client's supplied SSPI channel bindings were incorrect.
which appears tio be expected since we have these reg settings:
LDAPServerIntegrity: 1
LdapEnforceChannelBinding: 1
So I removed both the client and server ssl profiles from the VS, once I did that I can not connect at all:
Error 81 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
wireshark shows the ldap server requesting a client cert, not getting it then terminating the session straight away.
Weird thing is, the VS pool has only one member, and I can successfully connect and bind directly to it on ldaps bypassing the F5.
I suspect the issue is the dns name I connect to resolves to the IP on the F5, which of course is not the name of the actual ldap server, although I did try installing both the ldap server and f5 virtual server client ssl cert on the test machine and still didn't work. I wonder if this is actually possible to get working via F5?
sorry forgot to reply. We got it workign using client and server ssl certs, the trick is you need all the sans in the cert including the Ip address of vip, ip address of pool member, domain the client connects to, the hostname of the pool member etc.
