SSL offload for LDAPS.

It works... -Brian

I am trying to get this configuration going. Still at the early stage. Is there anything special that you had to do to get this to work?

I realize this thread is quite old, but I'm having trouble posting a brand new question to the forum, so I am reviving/highjacking this one. Advance apologies.

 

 

Is there a trick to getting SSL offload working for a pool of Active Directory servers sitting behind my LTM 1600s? I'm running 10.2.2 HF3. I setup SSL offload as I would on a HTTPS server, but it doesn't seem to be working. I can connect to the LB IP via an LDAP client, and I also see the BigIP shaking hands with one of the backend servers, but after that it looks like communication stops.

 

 

Just looking for thoughts/ideas.

 

 

Thanks,

 

Josh

Hi Josh,

 

 

Can you post your anonymized virtual server, pool config and a snippet of a tcpdump of the traffic? You can use these commands to get the info:

 

 

tmsh list ltm virtual VS_NAME

 

tmsh list ltm pool POOL_NAME

 

tcpdump -Xs0 -ni 0.0 "CLIENT_IP or (host SERVER_IP and port SERVER_PORT)"

 

 

Aaron

I'm working on the tcpdump. Anything specific you want to see out of it?

I wanted to see the tcpdump to see how far in the process the connection to the server fails. I didn't realize it was encrypted though on the serverside.

 

 

As a test, if you remove the client and server SSL profiles, does the connection through the virtual server succeed?

 

 

Out of curiosity, why are you re-encrypting the serverside connection? If you need the serverside encrypted, why are you decrypting the clientside? Are you planning on doing inspection or modification of the LDAP calls?

 

 

Aaron

Yes, if client and server SSL profiles are removed things work fine.

 

 

Background...

 

The driving force behind the effort was to have a single cert that my group would need to manage (i.e. imports into App Server Trust store, etc...). Currently there is a small number of LDAP servers behind the VS, but should that grow in the future we would find ourselves in a position that would require management of 1 cert per node in all of our app server environments We are currently running in production with no SSL offload, however, it is mandated that all of our traffic be encrypted end-to-end. So if we want to offload, we have to use both client-side and server-side.

I'd guess this is an issue with the server SSL's client cert/key. Can you use that cert/key with a different client to connect directly to a server?

 

 

Can you also try capturing a tcpdump to a file and then use ssldump to view the SSL handshake? You can search on AskF5 for details on using ssldump.

 

 

Aaron

Thanks for your thoughts Aaron!

 

 

I have this nasty habit of trying to drive a nail with a bulldozer and it got me this time. I realized that I should just be having the AD admin put a DNS alias in his certs. *BANG*, problem solved.

 

 

Sorry for the lost brain cycles.

 

 

Josh

No worries, it's always interesting to hear of another use case.

 

 

Aaron