Forum Discussion

AlanTLR_151265's avatar
AlanTLR_151265
Icon for Nimbostratus rankNimbostratus
Apr 17, 2014

Need help configuring Active Directory for User Authentication WITH SSL

On our F5 BIG-IP LTM (running 10.2.1) We are able to get Active Directory user authentication without SSL to work, but are having trouble getting it to work correctly with SSL. I have a suspicion that this has to do with the keys. I've entered them and even imported them as trusted device certificates, but I am still unable to get them working correctly. Is there a specific format that they should be in? I've tried PKCS12, PKCS7, and DER.

auth ldap system-auth {
    bind-dn "cn=\"LDAP Account\",ou=\"Service ACC\",dc=my,dc=lovely,dc=com"
    bind-pw ********
    login-attribute samaccountname
    port ldaps
    search-base-dn dc=my,dc=lovely,dc=com
    servers { MYDC03.my.lovely.com }
    ssl enabled
    ssl-ca-cert-file /etc/keys/ca.cer
    ssl-client-cert /etc/keys/ldaps.crt
    ssl-client-key /etc/keys/ldaps.key
    user-template %s@my.lovely.com
}

*Names, passwords, and domains have been changed for security.

active directory
ad authentication
application delivery
ldaps
LTM

6 Replies

Sort By
    • AlanTLR_151265's avatar
      AlanTLR_151265
      Icon for Nimbostratus rankNimbostratus
      Apr 17, 2014
      We were able to verify with the ldapsearch command yesterday, but today am now getting other errors. > TLS trace: SSL_connect:before/connect initialization > TLS trace: SSL_connect:SSLv2/v3 write client hello A > TLS trace: SSL_connect:error in SSLv2/v3 read server hello A > TLS: can't connect. Makes me wonder if this is truly an issue with the keys now.
    • AlanTLR_151265's avatar
      AlanTLR_151265
      Icon for Nimbostratus rankNimbostratus
      Apr 17, 2014
      We were able to verify with the ldapsearch command yesterday, but today am now getting other errors. > TLS trace: SSL_connect:before/connect initialization > TLS trace: SSL_connect:SSLv2/v3 write client hello A > TLS trace: SSL_connect:error in SSLv2/v3 read server hello A > TLS: can't connect. Makes me wonder if this is truly an issue with the keys now.
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Apr 18, 2014

    if your ldap server does not do client certificate authentication, can you try to remove client certificate and key in configuration?

    also, i understand ca certificate is not required (i.e. no server validation). can you try to remove ca certificate in configuration as well?

     config

root@ve10(Active)(tmos) list sys global-settings
sys global-settings {
    auth-source-type ldap
    gui-setup disabled
    hostname ve10.acme.com
    mgmt-dhcp disabled
}
root@ve10(Active)(tmos) list auth ldap
auth ldap system-auth {
    bind-dn CN=administrator,CN=users,DC=abc,DC=com
    bind-pw password
    login-attribute samaccountname
    port ldaps
    search-base-dn CN=Users,DC=abc,DC=com
    servers { 200.200.200.103 }
    ssl enabled
}

 /var/log/secure

[root@ve10:Active] log  tail -f /var/log/secure
Apr 18 17:20:16 local/ve10 alert httpd[3536]: pam_unix(httpd:account): could not identify user (from getpwnam(tasmania))
Apr 18 17:20:16 local/ve10 notice httpd[3536]: 01070417:0: AUDIT - user tasmania - RAW: httpd(mod_auth_pam): user=tasmania(tasmania) partition=[All] level=Administrator tty=/usr/bin/tmsh host=192.168.206.176 attempts=1 start="Fri Apr 18 17:20:16 2014".
  • AlanTLR_151265's avatar
    AlanTLR_151265
    Icon for Nimbostratus rankNimbostratus
    Apr 22, 2014

    I had the AD admin re-create and re-create and re-issue the CA bundle and convert it to a CRT bundle. We removed the client key and the client certificate (as this is part of the CA bundle) and it started working! Thanks for all your help!