Jump to content
Welcome to our new Citrix community!

LDAP Virtual Server doesn't work for HPUX after version 11


Joe Robinson

Recommended Posts

Greetings:

 

I have a VPX running firmware 11.0.69.12.  It's hosting an vserver that is load balancing LDAP.  It's a pretty simple configuration really.     It's currently load balancing the following ports to a domain controller:

 

88 - TCP

88 - UDP

389 - TCP

445 - TCP

464 - TCP

636 - SSL_TCP

3268 - TCP

3268 - TCP

3269 - SSL_TCP

 

I know that all of these are not necessary, but the vserver is currently online and running just fine.  However, if I upgraded to version 12 or 13, authentication fails on our HPUX server.  Everything else seems to work fine (access from Windows Applications, manual tests with ldp).  If I downgrade the firmware to v11, everything starts working again.

 

I'm really scratching my head on this -- anyone aware of any changes in 12 that might impact load balancing LDAP?

 

 

 

UPDATE:

The LDAP Client was unable to use anything higher than TLS1.  Built a new profile allowing TLS1 and the best of the worst Cyphers to be used, and applied that only to my LDAP Vserver.  

 

Thanks for the help!

Link to comment
Share on other sites

From what you're saying only the HPUX system is failing to access LDAP vserver via the ADC VPX (other systems are fine and the load balancer and services otherwise appear up)?  If its different than what I thought you described, this may not apply.

 

In addition, which version of 12.x are you upgrading too as their may be more specific info if you mean 12.1 or 13.0 vs. 12.0 and the exact build....

 

IF its just the one type of system doing LDAP via the VPX having issues, then I would compare ciphers/ssl parameters/ssl profiles on the ldap vserver, servicegroup, and monitor?  

My initial guess is 12.x no longer supports a specific ssl cipher or protocol that the HPUX expects that 11.0 did.  Though I though most of the cipher changes changed at 12.1 instead of 12.0.

Cipher changes are noted in release notes but also on the firmware download:  https://www.citrix.com/downloads/citrix-adc/firmware/release-121-build-6118.html

You can check the ssl profile and ssl parameters on the vserver/servicegroup and/or monitor to see if there is an impact.

 

Additional troubleshooting if its not the above:

A nstrace may help identify if the issue is in a specific handshake.  And this might be why the HPUX is affected as a potential older system and that other LDAP attempts don't mind.

Check syslog, nslog, and the bootd.msg for any issues after upgrade that could be a more exotic issue

 

 

  • Like 1
Link to comment
Share on other sites

You're spot on with your recap --

As far as I can tell, everything is working 100% EXCEPT the HPUX authentication.  It fails when it attempts to bind with the most generic of generic messages.

 

I've tried a handful of different version, and I don't have any specific versions handy right now.  I do feel comfortable saying any version of 12 had the same problems.  I've been trying to get this upgraded for a long time, but it's been pretty low priority.  I'll take a peek at the ciphers and see if anything is different.  I currently have the vserver running on 11 and 13, so I'll be able to visually compare.... 

 

Thanks for the tips!

Link to comment
Share on other sites

An nstrace may tell you if it is just an ssl handshake issue and the link above at least notes the major cipher changes for 12.1.  But hope that is at least a potential explanation as I'm *guessing* the HPUX might be the legacy in this.  But your ssl profile or parameters may be changing support for sslv3/tls10 in addition to cipher groups and if you want to anything 12.1/13.0 or later some specific legacy ciphers are gone.

 

Hopefully, you can find an answer AND report back if its not the ssl settings.

Link to comment
Share on other sites

Found the problem with your help... you were spot on.

 

Our wonder HPUX LDAP service can't speak anything higher than TLS1, so I built a new profile that allowed this and the best of the weak cyphers it can use and added it to my LDAP vserver.  All is good now!

 

Looks like its time to upgrade that LDAP service, too!

 

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...