Configuring intermediate VS for LDAP/LDAPS HA
Hi,
I have successfully configured an LDAP AAA profile with a single server, and created an associated access profile with an interactive login page and LDAP Auth and LDAP Query functions to correctly authenticate and query a Windows AD server.
I now want to add additional servers via an LDAP AAA pool in order to provide some resiliency. I am following the guides but coming unstuck with the logic on how the HA works. My understanding is that you create the pool in the Access AAA configuration, which creates an LTM pool for the servers. You then create a Virtual Server which load balances to this pool (and in the case of LDAPS encrypts traffic with a Server SSL profile).
To keep things simple at this stage, I am not introducing SSL, so just trying to create a pool of LDAP servers. I have done this, and I have created a Virtual Server with this pool behind (all servers on non-SSL TCP 389). The VS is listening on 389, but I am unsure what IP I should be giving the Virtual Server. The line in the documentation reads:
"For the Destination setting in the Address field, type the IP address for the external LDAP server. This IP address must match a server address configured in the LDAP AAA server."
If I am reading this correctly, the IP for the Virtual Server should be the same as the real address of one of my AD LDAP servers (ie: one of the LDAP pool members)? How does this work? I can see in the logs that when I try to make a connection using this access profile with the LDAP pool configured, an attempt to BIND for auth goes to a loopback address:
'Apr 8 10:39:39 slot2/UK-F5-XXX debug apd[10255]: 01490027:7: cd8931ea: LDAP module: ldap_initialize() successful. URI:'ldap://127.7.0.5:389'
However, the auth attempt/connection times out and no response from an LDAP server is received.
As mentioned at the top of this post, if I configure an AAA LDAP profile to a single server (using any one of the servers in the LDAP pool), it works fine. I can't help but feel that I have something wrong with the way the Virtual Server is configured?