Forum Discussion

ko_48793's avatar
ko_48793
Icon for Nimbostratus rankNimbostratus
Nov 08, 2012

SSL Client certificate LDAP authentication

I'd like to configure the BIG-IP LTM to authenticate some clients using LDAP authentication.

 

That Clients have a SSL client certificate. This certificate is made from private CA on OpenSSL.

 

I've tried below settings.

 

----------------------------------------------------

 

■Virtual Server

 

port : tcp443

 

SSL Profile(Client) : PRF.SSLClient

 

Authentication Profiles : prf.auth.ldap

 

■SSL Profile(Client) : PRF.SSLClient

 

 Certificate : My server certificate

 

Key : My server key

 

Trusted Certification Authorities : root certificate of my private CA

 

Client Certificate : require

 

Certificate Chain Traversal Depth : 1

 

Advertised Certificate Authorities : root certificate of my private CA

 

■Profile Authentication : Configuration

 

Name : auth.ldap

 

Type : SSL Client Certificate LDAP

 

Host : My LDAP Server IP address

 

Search Type : User

 

User Base DN : ou=People,dc=f5,dc=com

 

User Key : uid

 

■Profile Authentication : Authentication

 

Name : prf.auth.ldap

 

Type : SSL Client Certificate LDAP

 

Parent Profile : ssl_cc_ldap

 

Configuration : auth.ldap

 

----------------------------------------------------

 

When I took some capture data on BIG-IP LTM, LDAP server returned correct responses (ex. result code : success(0))

 

So I think LDAP server seems not to causes this status. But the client HTTPS accesse returned the error page.

 

This error pages showed these connections reset.

 

Could you tell me how can I work arround this status.. ?

 

 

config
design

6 Replies

Sort By
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Nov 09, 2012
    Hi Ko,

     

     

    What error does the client receive? Are you testing with a cert that the LDAP server shows is valid?

     

     

    Aaron
  • ko_48793's avatar
    ko_48793
    Icon for Nimbostratus rankNimbostratus
    Nov 12, 2012
    Thank you, Aaron.

     

     

    After the client sent a ssl client certificate, The client receives fin packet sent by BIG-IP.

     

     

    I don't put cert on LDAP server. Does LDAP client authentication need cert on LDAP Server?
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Nov 12, 2012
    If you're seeing an LDAP query then you've made it past the SSL handshake. In your capture, you should see the successful bind, then the request (query), and a response. The response should show a returned value for the given query, not just success(0). If the LDAP query doesn't return a value, ACA shuts down the connection.

     

     

    The certificate LDAP mechanism in ACA is wired to extract and match the certificate CN to the LDAP/AD attribute that you specify.
  • ko_48793's avatar
    ko_48793
    Icon for Nimbostratus rankNimbostratus
    Nov 13, 2012
    Thanks, Stewart.

     

    The LDAP response value has the objectName, such a data like "uid = user1, ou=People, dc=f5, dc=com".

     

    Then the CN value of Client cert is "user1", and LDAP request is "ou=People, dc=f5, dc=com" with "Filter (uid=user1)".

     

     

    As I saw the web manage view, the statistics "Handshake Failures" of client SSL profile counted up.

     

    Shoud I think it's error on accelarating client cert?
  • ko_48793's avatar
    ko_48793
    Icon for Nimbostratus rankNimbostratus
    Nov 13, 2012

    Thanks, Stewart.

     

    The LDAP response value has the objectName, such a data like "uid = user1, ou=People, dc=f5, dc=com".

     

    Then the CN value of Client cert is "user1", and LDAP request is "ou=People, dc=f5, dc=com" with "Filter (uid=user1)".

     

     

    As I saw the web manage view, the statistics "Handshake Failures" of client SSL profile counted up.

     

    Shoud I think it's error on accelarating client cert?

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Nov 13, 2012
    While there may be an issue with your client SSL profile, the fact that you're getting to the LDAP query means that you're successfully negotiating. Do you have a server SSL profile? Are there any logs generated other than the stats counter? Do you see any traffic leave the BIG-IP headed for the server?