jgabel_43098
Aug 21, 2007Nimbostratus
client ssl, F5 and ldap integration
Please bear with me all you network tech heads as I am not a network guy, but rather a infosec guy, so I have no experience running F5 appliances.
I am wondering if anyone has successfully setup a F5 with ldap(eDirectory) and client ssl certs using "certificate map". If so can you explain with any detail how it works? We are trying to set it up but don't quite understand how it is supposed to work. We have a client ssl cert in a browser, connects to a vip on the F5 that goes to two backend webservers. For now we are just testing hitting the default webserver static web page which is good enough for testing as our concern isn't the web apps, but rather the ldap(eDirectory) integration with F5. Our network folks have tried different configurations and can get the "user" option to work, but that works even if we don't store the client cert(public key only copy since the end client/browser has the private key) in the directory attached to the user account.
We tried to use certificate map instead, but we just don't understand how it works and what is appropropriate to put in the "Certificate Map Key" field. We tried "cn", and that appears to work, but once again, we don't have to store the cert in the directory and it will still appear to work.
In summary, what we want to do is this. User connects with client cert, the F5 connects to ldap(eDirectory) and checks to see if the user is present and the cert(the copy with just the public key) is attached to the account. If either is missing, it should reject the connection. If they are present, it should allow it.
So if anyone has any advice on how it supposed to work or how we can get it to work, it would be greatly appreciated it. Do we need a custom iRule? Is this not the F5 works with these things? Just looking for some answers.
Thanks!!!