Forum Discussion

Andy_Cohen_4986's avatar
Andy_Cohen_4986
Icon for Nimbostratus rankNimbostratus
Apr 08, 2015

Configuring intermediate VS for LDAP/LDAPS HA

Hi,

 

I have successfully configured an LDAP AAA profile with a single server, and created an associated access profile with an interactive login page and LDAP Auth and LDAP Query functions to correctly authenticate and query a Windows AD server.

 

I now want to add additional servers via an LDAP AAA pool in order to provide some resiliency. I am following the guides but coming unstuck with the logic on how the HA works. My understanding is that you create the pool in the Access AAA configuration, which creates an LTM pool for the servers. You then create a Virtual Server which load balances to this pool (and in the case of LDAPS encrypts traffic with a Server SSL profile).

 

To keep things simple at this stage, I am not introducing SSL, so just trying to create a pool of LDAP servers. I have done this, and I have created a Virtual Server with this pool behind (all servers on non-SSL TCP 389). The VS is listening on 389, but I am unsure what IP I should be giving the Virtual Server. The line in the documentation reads:

 

"For the Destination setting in the Address field, type the IP address for the external LDAP server. This IP address must match a server address configured in the LDAP AAA server."

 

If I am reading this correctly, the IP for the Virtual Server should be the same as the real address of one of my AD LDAP servers (ie: one of the LDAP pool members)? How does this work? I can see in the logs that when I try to make a connection using this access profile with the LDAP pool configured, an attempt to BIND for auth goes to a loopback address:

 

'Apr 8 10:39:39 slot2/UK-F5-XXX debug apd[10255]: 01490027:7: cd8931ea: LDAP module: ldap_initialize() successful. URI:'ldap://127.7.0.5:389'

 

However, the auth attempt/connection times out and no response from an LDAP server is received.

 

As mentioned at the top of this post, if I configure an AAA LDAP profile to a single server (using any one of the servers in the LDAP pool), it works fine. I can't help but feel that I have something wrong with the way the Virtual Server is configured?

 

APM
deployment
ha
security

2 Replies

Sort By
  • Gianrico_D_Ang1's avatar
    Gianrico_D_Ang1
    Historic F5 Account
    Apr 08, 2015

    I now want to add additional servers via an LDAP AAA pool in order to provide some resiliency.

     

    You can simply select "use pool" in the LDAP AAA server configuration and add multiple servers there. When the first server does not respond the second will be tried and so on.

     

    I do not understand why you're trying to do it differently.

     

    thanks gianrico

     

    • Andy_Cohen_4986's avatar
      Andy_Cohen_4986
      Icon for Nimbostratus rankNimbostratus
      Jul 28, 2015
      Gianrico, yes, you can use pool and apply the server IPs here, but that is only half of the configuration. Have you tried setting this up yourself? In selecting the "use pool" option, an LTM pool is created with the servers you list. However, you then need to create a Virtual Server as I mentioned above, that forwards to this newly created pool for this functionality to work. In the end my issue was simply a firewall one, but I wasn't sure that the implementation of the LDAP pool that I had outlined in my first post was correct. It was, and the loopback call in the logs is the expected outcome.