LDAP Profile Verify Server Certificate for SSL

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.
L4 Transporter
No ratings

LDAP Profile Verify Server Certificate for SSL

 

 

This option is selected if the firewall wants to verify the directory server before SSL/TLS communication is started.

 

For additional resources regarding BPA, visit our LIVEcommunity BPA tool page.
View videos regarding BPA Network best practice checks.
View videos regarding BPA Policies best practice checks.
View videos regarding BPA Objects best practice checks.
View videos regarding BPA Device best practice checks.
You may also view other BPA video playlist on the LIVEcommunity YouTube channel.
Rate this article:
Comments
L1 Bithead

We're having a challenge mitigating this, as our LDAP servers are signed by our internal CA, not by one of the public CAs in the "Default Trusted Certificate Authorities" list. I don't see any way to add our trusted enterprise CA to that list, only to the "Device Certificates" list, which the LDAP certificate check does not check for CA certs. So it appears there is no way to trust an LDAP server cert based on your own PKI CA cert?

 

We also cannot import the individual LDAP server certificates to the device certificates due to a missing subject field, that's an internal issue -- but in any event, importing the specific LDAP server certificate is a borderline unacceptable solution, as now with every server lifecycle, addition of a new server into the LDAP backend pool etc. we have to manually add and remove certificates on the firewalls and Panorama, instead of simply relying on the trust from our CA, and this pretty much guarantees a service affecting issue down the road.

 

L2 Linker

@Toivo Hello, are you referring to a particular Best Practice check or is this a separate issue? If this is not related to the Best Practice Assessment, please create a support ticket and it will be addressed. Thanks.

  • 5116 Views
  • 2 comments
  • 0 Likes
Register or Sign-in
Contributors
Labels
Article Dashboard
Version history
Last Updated:
‎07-13-2020 07:50 AM
Updated by: