Jan 15, 2017
SSL client certificate LDAP Authentication Question
Hi all
In a bid to try understand some of the lesser documented and possibly implemented features of LTM, I have been testing out the various authentication features LTM has to offer. I am at a point where one them - SSL client certificate LDAP authentication has left me a little stumped. I can get the feature to work at a basic level, that is, the client presents a certificate, the LTM extracts the username from the cert, performs bind to LDAP and authenticates the user successfully. What I wish to do now is ensure that the client is part of a specific AD group before granting permission to resources.
I believe the *Group Base DN* and *Valid Groups* settings are what I need to focus on. However, regardless of what I enter here, I cannot get this to work. My thinking is that the Group Base DN should contain a value similar to this:
CN=Sales,CN=Users,DC=company,DC=com
Where 'Sales' is an AD group the users I wish to authenticate are part of. I then add the keyword 'Sales' to the Valid Groups box, for a final config like so:
ltm auth ssl-cc-ldap LAB-SSL-LDAP-CONFIG {
admin-dn CN=Administrator,CN=Users,DC=lab,DC=com
admin-password
group-base CN=Sales,CN=Users,DC=lab,DC=com
servers { }
user-base CN=Users,DC=lab,DC=com
user-key sAMAccountName
valid-groups { Sales }
Yet, with this config it fails and the Wireshark trace I take doesn't actually provide much clue. In fact I can't even see the LTM attempt to query LDAP for the 'Sales' group.
Any idea on where I'm going wrong? Has anyone tried this out successfully?
Thanks