Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

iRule for LDAPSearch?

Hi there, Does anyone have any experience writing an iRule and/or health monitor using LDAPSearch? My devs need to query a remote LDAP server. I can't get the built in health monitor to work, based on the syntax the dev gave me. However if I run LDAPsearch from the command line, it works. The health monitor is there to ensure a pool member is responding to LDAP queries.

The LDAP server in question allows anonymous connections, so I have no username/pwd.

0
Rate this Discussion

Replies to this Discussion

placeholder+image

I've not setup a LDAP monitor using anonymous authentication. While it's not explicit, SOL17472 does imply that anonymous authentication is supported.

Are you using ldapsearch from the BIG-IP? What parameters (redact as necessary) do you specify?

0
Comments on this Reply
Comment made 19-Apr-2016 by JoshF 1
Theo, Thanks for taking the time! the LDAPsearch from shell definitely supports the anonymous. The actual health monitor though... base: ou=people,ou=x,ou=y,ou=z,c=us filter= objectclass=* what confuses me, is that it works perfectly from the command line. I get no response when I put the string in the health monitor. I turned on the health monitor debugging, but the output.... was kinda useless.
0
Comment made 19-Apr-2016 by JoshF 1
or to be fair - I may not have understood the debug...
0
Comment made 19-Apr-2016 by Theo 380
Just to rule it out, is ou=people,ou=x,ou=y,ou=z,c=us a referral? Does the result from shell return >0 objects? With debug on, what does the log file show (reminder, it should be at /var/log/<monitor_type>_<ip_address>.<port>.log )? Other than that, I would open up a support ticket with F5 since it works from command line.</port></ip_address></monitor_type>
0
Comment made 19-Apr-2016 by JoshF 1
to be specific: ldapsearch -v -x -h {IP} -p 389 -b "ou=people,ou=x,ou=y,ou=z,c=us" -s base "objectclass=*" Perhaps I need to enter the quotes in the GUI for creating the monitor?
0
Comment made 19-Apr-2016 by Theo 380
The quotes should not matter in the GUI--it'll add them. What about modifying your shell command to the below--what is the output (fill in your IP)? ldapsearch -xLLL -H 'ldap://{IP}' -b "ou=people,ou=x,ou=y,ou=z,c=us" -s one -A "(objectclass=*)"
0
Comment made 21-Apr-2016 by JoshF 1
Theo, I don't know enough about LDAP, but I do not think it is a referral. I get numResponse: 2 numEntries: 1 (from my current string). The String you sent me didn't work; the F5 doesn't like the URI. I switched back to the older -h -p syntax and it works from the command line, but it seems to have pulled..... all the users in LDAP? Are the parenthesis on the filter intentional?
0
Comment made 22-Apr-2016 by Theo 380
No, but the way I sent you (which I got from SOL17472) the command is how the monitor will run the command, so I presume getting that command to work will fix the issue. What version of BIG-IP software are you running on that box? I want to check something on the parameters for ldapsearch.
0