Remote - ClientCert LDAP Bugs on 11.5

First, just a note, when you get locked out testing this solution, you can use: tmsh modify auth cert-ldap system-auth sso off

This will let you log back in using admin.

Next, there are some bugs being tracked with this configuration. You can try to configure using TMSH in the interim. Below were the settings I had to use to accomplish this using TMSH on 11.4. I am configuring this now in 11.5.1 and will update as I discover more.

Note: You absolutely HAVE to have a remote role group configured.

Note 2: If using Windows OCSP, enable NONCE.

Note 3: You, currently, absolutely HAVE to use OCSP.

auth cert-ldap system-auth {
    bind-dn "CN=LDAP Query,OU=Service Accounts,DC=alpha,DC=domain,DC=local"
    bind-pw $M$zk$MD/aIzNEVYJyFuwhtuZz/Q==
    check-roles-group enabled
    login-attribute sAMAccountName
    login-filter [a-zA-Z0-9]\\w*(\?=@)
    login-name altSubjectName=Othername
    search-base-dn DC=alpha,DC=domain,DC=local
    servers { xxx.xxx.3.22 }
    sso on
}
auth ldap system-auth {
    bind-dn "CN=LDAP Query,OU=Service Accounts,DC=alpha,DC=domain,DC=local"
    bind-pw $M$zk$MD/aIzNEVYJyFuwhtuZz/Q==
    check-roles-group enabled
    login-attribute sAMAccountName
    search-base-dn DC=alpha,DC=domain,DC=local
    servers { xxx.xxx.3.22 }
    user-template %s@ALPHA.DOMAIN.LOCAL
}

sys httpd {
    allow { All }
    auth-name BIG-IP
    auth-pam-dashboard-timeout off
    auth-pam-idle-timeout 1200
    auth-pam-validate-ip on
    description none
    fastcgi-timeout 300
    hostname-lookup off
    include none
    log-level warn
    max-clients 10
    redirect-http-to-https disabled
    request-body-max-timeout 0
    request-body-min-rate 500
    request-body-timeout 60
    request-header-max-timeout 40
    request-header-min-rate 500
    request-header-timeout 20
    ssl-ca-cert-file /Common/COLEHOME_CA_Chain
    ssl-certchainfile none
    ssl-certfile /etc/httpd/conf/ssl.crt/server.crt
    ssl-certkeyfile /etc/httpd/conf/ssl.key/server.key
    ssl-ciphersuite ALL:!ADH:!EXPORT:!eNULL:!MD5:!DES:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2
    ssl-include none
    ssl-ocsp-default-responder http://192.168.3.22/ocsp
    ssl-ocsp-enable on
    ssl-ocsp-override-responder on
    ssl-ocsp-response-max-age -1
    ssl-ocsp-response-time-skew 300
    ssl-verify-client require
    ssl-verify-depth 10
}

There are some bugs in 11.5. I have tested this in 11.6 and it works with a caveat that we are trying to resolve now. The Login-Value only seems to pull Subject, and only supports a single value CN. So if you are pulling Subject/emailAddress=user@domain.com to validate your users against userPrincipalName, that works fine.

I would also recommend the following:

1. Make sure all certs are in PEM format. I had issue with DER and Base64.
2. You don't really need the Chain CA cert, my config worked with nothing there.
3. Do a TCP Capture on the internal side, or the network OCSP is processing on and the network LDAP is using, so you can see the OCSP and LDAP requests go out and ensure everything is in the proper format. You should see an OCSP request return OK, or if not OK something like Unauthorized (6). With LDAP you will see the query SearchRequest for userPrincipalName=user@domain.com or (login-attribute)=(login-value).
4. The bugs you listed can be worked around by updating the config via tmsh.
5. Be sure to submit a ticket for any issues, and post the case numbers. I can add them to existing bugs we are working internally.

Michael C

Thank you Michael, I will give it another try once I get access to 11.6. It does not seem available from the downloads website. I will update the post once I get a chance a to test it.

11.6 is tentatively set to be released August/September time frame. Contact your account team for instructions on how to sign up for Early Access if this is a critical feature for you.