NimbostratusAPM AAA LDAPS using a direct server configuration
Hi,
I have noticed that the option to use LDAPS in an APM AAA LDAP Profile only appears when using a pool configuration and not when using a direct configuration.
At first I thought this may be a GUI bug as it is configurable via TMSH. However whilst troubleshooting suggests handshake issues, I've tried every setting in the servers-ssl profile to rule out server certificate validation issues. Therefore, I'm now wondering if this is not a GUI bug but actually an unsupported configuration for LDAPS.
The documentation (link at the bottom) for LDAPS includes the following task: "select Use Pool even if you have only one LDAP server". I also read somewhere that Pools use floating self-ip's, whereas direct uses the local self-ip. Documentation also talks about a Virtual Server being part of the LDAPS configuration. I'm guessing this is a hidden internal Virtual Server.
So, the questions are: Does LDAPS AAA only work with a Pool configuration? Has anyone gotten a Direct configuration working for LDAPS?
Admittedly the documentation gives direction to use pool now that I've studied it, however if the difference in behaviour under the hood is so different, I'd expect more "important" foot notes and gotcha's in the documentation.
Note: Unfortunately I'm unable to try out a pool configuration easily due to FW rules preventing use of the floating self-ip (unless there is a way to change the self-ip used?). We're handling LDAPS HA via an existing load balancing configuration on a separate F5.
Running Version 11.6.0 HF5
Thanks,
Andrew
