Load Balancing SSL LDAP requests

The way I see it, you would have to generate 2 certificates on the load balancer, one to give to the client making the request, the other you would install into the Directory Server which would serve as a node in a pool on the big IP.

 

 

The cert for the node should result from a private key and csr on the node subsequently signed by a CA the LTM trusts. Of course its possible to skin this cat many different ways by exporting private keys etc but I'd keep it simple and stick to best practice.

 

 

Assuming you have the client_ssl profile running and only the server_ssl side to sort out check your CN matches the name resolved for the node and that the LTM trusts the signatory. Oh, and use 'openssl s_client' for debugging ssl client connections, it will save you hours and hours and hours of time.

You don't necessarily need a cert on the backend, unless you're going to re-encrypt the traffic between the F5 and the server. (You could just run plain text, but would need to translate any redirects from ldap:// to ldaps://

 

 

If you are going to re-encrypt, you could just use a self signed cert on the ldap server itself. The F5 won't care. And it'll save you the money.

 

 

 

H

The cert for the node should result from a private key and csr on the node subsequently signed by a CA the LTM trusts. Of course its possible to skin this cat many different ways by exporting private keys etc but I'd keep it simple and stick to best practice.

 

So not sure if this would matter, but I did both the client side cert and server side cert as self signed certificates generated on the LTM. That should eliminate the CA trust issue right?

Doug,

 

 

Sorry for crashing into your topic, hopefully I can try work out within this topic as its similar if not the same as what I am trying to implement. Maybe we can try work them out together.

 

 

Client hit request to ldap://server.mydomain.com:1234 ---F5 and then F5 send to an internal LDAP - ldap1.dmz.com

 

 

My setup - (still working in progress) - virtual sever with the following profiles

 

1. client ssl profile with a certificate & key using server.mydomain.com cert

 

2. server ssl profile with a self sign cert from ldap1.dmz.com - certificate=self sign ldap1.dmz.com, key = none, rest =default

 

 

I believe for my setup, i have to do it on the LTM by maybe using iRule the string ldap://server.mydomain.com 1000 and convert them to ldap://ldap1.dmz.com 40000

 

 

Still trying to figure that out or am I going down the wrong road?

 

 

How did you set yours up Doug? is it similar?

 

 

I uses an LDAP client to test it out and can see the SSL terminating to the F5 (wireshark) and looks like it is trying to talk to the back end ldap but didnt progress further than shown below.

 

 

ld = ldap_sslinit("server.mydomain.com", 1000, 1);

 

Error 0 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);

 

Error 0 = ldap_connect(hLdap, NULL);

 

Error 0 = ldap_get_option(hLdap,LDAP_OPT_SSL,(void*)&lv);

 

Host supports SSL, SSL cipher strength = 128 bits

 

Established connection to server.mydomain.com

 

Retrieving base DSA information... --> just stuck here

 

 

Yeah, that's pretty much what I'm trying to accomplish as well. Can you paste in the ldap client connection command you are using? I'll try it on my side and see if I'm getting the same error in wireshark. Also, is your ldap server a redhat or 389-Directory Server? I'm actually using the 389-Directory Server.

I am actually using a tool called ldp, can download from microsoft. Gui based so only need to type the FQDN and the port and specify to use SSL.

 

 

How far have you gone with your setup?

 

 

Will try the following tomorrow

 

 

PC with the LDP tool ------ F5 ----------LDAP server

 

 

Will do wireshark on the LDAP server and also tcpdump on the F5. Will try see difference between the two and see how far the F5 portion is working.

 

 

Anyone else in this group done this setup before? This can't be a new thing. Surely someone done this before.