Forum Discussion

danielpenna's avatar
Oct 06, 2015

LDAPS Monitor with Certificate Expiration

Hi Team,


I have been working with my AD team trying to resolve a problem where they forget to update a Domain Controller certificate and it expires and ADLDAPS queries fail since they dont bind to expired certificates. They have requested to see if we can drop a member out of the pool if the certificate is expired ( ie, not a valid SSL cert )


I have been messing with the LDAP Health monitor, turning on the Security settings, but I dont believe this would actually check that a certificate is valid or not. I know with server side SSL configuration you can enable SSL authentication but would just stop traffic from flow, not actually drop a member out of the pool.


Any ideas ?


4 Replies

  • MVA's avatar
    Icon for Nimbostratus rankNimbostratus

    Hi, we resolved this a few years back, if I recall, by enabling "Mandatory Attributes" in the health monitor. Test against an expired cert DC with this setting enabled/disabled.


  • Thanks Guys, will give Mel's solution a try since its the simplest. If that doesn't work, will give Mikes a go.


    Will supply feedback on how I go.


    Edit: Althought reading the context help on the F5 box, Mandatory attributes refer I think to the actual healthcheck returning proper LDAP attributes. I remember reading that the basic LDAP healthcheck doesnt request attributes, this must enforce that. Unsure how the expired cert checking fits in but will give it a go.


    Mandatory Attributes Specifies whether the target must include attributes in its response to be considered up.


    No: Specifies that the system performs only a one-level search (based on the Filter setting), and does not require that the target returns any attributes.


    Yes: Specifies that the system performs a sub-tree search, and if the target returns no attributes, the target is considered down.


    • SlipperyPete's avatar
      Icon for Nimbostratus rankNimbostratus

      Hi Daniel, interested to know how you went with this testing (if you remember back to 2015!). I am currently setting up a similar test for the same issue.