Remote - ClientCert LDAP Bugs on 11.5
Has anyone been able to configure Remote - ClientCert LDAP on 11.5? I found out this process was broken on 11.3 and seems to remain broken. I've managed to configure LDAP without a problem but I would like to secure the portal even further. I've been following the documentation here: http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/tmos-implementations-11-5-0/27.html?sr=36282773
Bug 1: Host field does not accept IP Address (I can get around it by configuring DNS or the hosts file
Bug 2: Apache Certificate List does not accept a list of certificates (this is new on 11.5). Only one must be uploaded at one time. This list is important because it tells the user which certificates are acceptable for authentication. When uploading a list with name "allcertificates" produces error below:
01070712:3: Values (/Common/allcertificates) specified for Certificate Bundle Entity (/Common/allcertificates.0 /Common/allcertificates): foreign key index (certificate_file_object_FK) do not point at an item that exists in the database.
With these bugs I was still able to create what I presume is a proper configuration; however it does not work. I am matching a 10 digit value within the certificate CN with the sAMAccountName on Active Directory. Some of my settings are below:
- CA Certificate: (Bug 2) I only choose the Root CA
- Login Name: CN
- Login LDAP Attribute: sAMAccountName
- Login Filter: \d{10} or hardcode 10 digit number
- Depth: Default (10)
- OCSP: off
Result: SSL Connection Error
Any guidance on the Remote - ClientCert LDAP configuration or any working configurations that you can share with me will be very helpful. Note that incorrect configuration will prevent you from login on so please make sure you have a backup or snapshot.