Client SSL converion to TLS for the server for LDAP

Are you asking for STARTTLS / LDAP support on the BIG-IP? Current versions do not support it, but I have heard it might be on the roadmap in the future. Let me back up for a second. The client speaks SSL. The server speaks LDAP. Correct? Have you tried setting up a virtual to include clientssl profile WITHOUT an associated HTTP profile? That would cause the bigip to strip off the SSL and just send through whatever the client was sending underneath.

Does your LDAP server not support SSLv3 and only supports TLS protocols? Does your client only support SSLv2 or SSLv3?

 

If this is the case then you could likely use a standard virtual server with clientssl and serverssl profiles properly tuned to support what you want. The SSL/TLS connections on each side of the F5 can use different settings during initialization.

 

Thanks David. As I did not find anything abour STARTTLS/LDAP in conjunction w/BigIP I assumed I missed something. So that type of protocol is not supported (yet). Just good to know & thank you that piec of information.

So I've been fighting with this for a while, the issue appears to be that the F5 does not support terminating TLS connections on LDAP. Since LDAPS has been deprecated for a while in openldap, I've turned it off explicitly so there are no surprises if it is removed.

 

This is pretty annoying to me since its complicated the setup I am working with. There is also a strong chance that I'm missing something since the ldap monitor supports TLS and works fine. It seems odd that it would support half of TLS on LDAP and not the other half. Anyways, just my $.02, if anyone from F5 can comment on where ldap TLS termination is in fact supported or not that would be helpful.