Forum Discussion

Devlin_T_149357's avatar
Devlin_T_149357
Jan 15, 2017

SSL client certificate LDAP Authentication Question

Hi all

In a bid to try understand some of the lesser documented and possibly implemented features of LTM, I have been testing out the various authentication features LTM has to offer. I am at a point where one them - SSL client certificate LDAP authentication has left me a little stumped. I can get the feature to work at a basic level, that is, the client presents a certificate, the LTM extracts the username from the cert, performs bind to LDAP and authenticates the user successfully. What I wish to do now is ensure that the client is part of a specific AD group before granting permission to resources.

I believe the *Group Base DN* and *Valid Groups* settings are what I need to focus on. However, regardless of what I enter here, I cannot get this to work. My thinking is that the Group Base DN should contain a value similar to this:

CN=Sales,CN=Users,DC=company,DC=com

Where 'Sales' is an AD group the users I wish to authenticate are part of. I then add the keyword 'Sales' to the Valid Groups box, for a final config like so:

ltm auth ssl-cc-ldap LAB-SSL-LDAP-CONFIG {
    admin-dn CN=Administrator,CN=Users,DC=lab,DC=com
    admin-password 
    group-base CN=Sales,CN=Users,DC=lab,DC=com
    servers {  }
    user-base CN=Users,DC=lab,DC=com
    user-key sAMAccountName
    valid-groups { Sales }

Yet, with this config it fails and the Wireshark trace I take doesn't actually provide much clue. In fact I can't even see the LTM attempt to query LDAP for the 'Sales' group.

Any idea on where I'm going wrong? Has anyone tried this out successfully?

Thanks
BIG-IP
ldap authentication
LTM
security
ssltls

3 Replies

Sort By
  • Cristian_Gal_12's avatar
    Cristian_Gal_12
    Icon for Nimbostratus rankNimbostratus
    Jan 16, 2017

    Check /var/log/secure for errors and use ldapsearch from CLI to see how LDAP gives you the group, after that adjust the profile.

     

  • Kevin_K_51432's avatar
    Kevin_K_51432
    Historic F5 Account
    Jan 16, 2017

    Greetings, Is this the Remote-ClientCert LDAP option in the UI? I believe the first step is to make an OCSP call to validate the certificate revocation status.

    If OCSP Override is enabled (the default), BIG-IP parses the SSL certificate for an OCSP responder, if off, BIG-IP follows the configured OCSP server.

        OCSP Override
    Specifies whether the system uses the OCSP Responder to override the CA certificate to authenticate/authorize logon operations. The default is off.

    Kevin

  • Devlin_T_149357's avatar
    Devlin_T_149357
    Jan 17, 2017

    Hello both

    Thank you for your responses, and apologies for the way I formatted my original post. I have managed to get it to work. For those reading this in the future this is my final config:

    ltm auth ssl-cc-ldap LAB-SSL-LDAP-CONFIG {
    admin-dn CN=Administrator,CN=Users,DC=lab,DC=com
    admin-password 
    group-base CN=Sales,CN=Users,DC=lab,DC=com
    group-key sAMAccountName
    group-member-key member
    servers {  }
    user-base CN=Users,DC=lab,DC=com
    user-key sAMAccountName
    valid-groups { Sales }

    As you can see from my original post I was missing some key attributes on the config, namely the Group Key and Group Member key attributes. Once I added these in it worked. I traced the flow using Wireshark and can see the LTM sending the search request to LDAP. If we take that request and try it manually using ldapsearch it gives back a positive result. That command for reference is:

    ldapsearch -H ldap:// -x -b DC=lab,DC=com -D CN=Administrator,CN=Users,DC=lab,DC=com -w "(&(member=CN=,CN=Users,DC=lab,DC=com)(sAMAccountName=Sales))"

    Thank you