Forum Discussion
FredR_30652
Nimbostratus
NimbostratusExternal LDAPs Monitor
Hello,
Running IG-IP 1600 9.4.5 Build 1086.1 Hotfix HF2.
I'm facing a problem with the standard LDAP Monitor SSH secured (it work fine without SSL but it's not the goal).
I apply SOL9530 and SOL9531 but no help from that.
If someone have it running , help will be appriciate !
As a temporary solution i wrote an External Monitor (Many thanks to Deb for his posts
http://devcentral.f5.com/Default.aspx?tabid=63&articleType=ArticleView&articleId=151http://devcentral.f5.com/Default.aspx?tabid=63&articleType=ArticleView&articleId=152
here is my code :
!/bin/bash
(c) Copyright 1996-2005 F5 Networks, Inc.
This software is confidential and may contain trade secrets that are the
property of F5 Networks, Inc. No part of the software may be disclosed
to other parties without the express written consent of F5 Networks, Inc.
It is against the law to copy the software. No part of the software may
be reproduced, transmitted, or distributed in any form or by any means,
electronic or mechanical, including photocopying, recording, or information
storage and retrieval systems, for any purpose without the express written
permission of F5 Networks, Inc. Our services are only available for legal
users of the program, for instance in the event that we extend our services
by offering the updating of files via the Internet.
(based on //depot/maint/bigip9.4.5/tm_daemon/monitors/sample_monitor1 )
@() $Id: myLDAPSmonitor,v 1.0 2008/12/23 deb Exp $
these arguments supplied automatically for all external monitors:
$1 = IP (IPv6 notation. IPv4 addresses are passed in the form
::ffff:w.x.y.z
where "w.x.y.z" is the IPv4 address)
$2 = port (decimal, host byte order)
Additional command line arguments ($3 and higher) may be specified in the monitor template
This example does not expect any additional command line arguments
Name/Value pairs may also be specified in the monitor template
This example expects the following Name/Vaule pairs:
LUSER = the username for binding to the server
PSWD = password
BASEDN = LDAP base
FILTER = Filter to apply
remove IPv6/IPv4 compatibility prefix (LTM passes addresses in IPv6 format)
IP=`echo ${1} | sed 's/::ffff://'`
PORT=${2}
PIDFILE="/var/run/`basename ${0}`.${IP}_${PORT}.pid"
kill of the last instance of this monitor if hung and log current pid
if [ -f $PIDFILE ]
then
kill -9 `cat $PIDFILE` > /dev/null 2>&1
fi
echo "$$" > $PIDFILE
Bind LDAPs
cd /usr/etc/openldap
ldapsearch -b ${BASEDN} -D "${LUSER}" -H ldaps://${IP}:${PORT} -w ${PSWD} -s base -x "${FILTER}" > /dev/null 2>&1
mark node UP if expected response was received
if [ $? -eq 0 ]
then
echo "UP"
fi
rm -f $PIDFILE
exit
I have to add this line in /usr/etc/openldap/ldap.conf
TLS_CACERT ./myCA.crt
Frederic.
My French is better than my English.
micah_64538I had the same problem, and got this info from F5 after opening a support case:
For BIG-IP LTM 9.4.5:
LDAP monitors using SSL will not work out-of-the box. The following changes must be made to correct this.
1. Add the following line to /usr/etc/openldap/ldap.conf:
TLS_REQCERTnever
2. Add the following line to /etc/subdomain.d/usr.bin.bigd, inside the /usr/bin/bigd {} block:
/usr/etc/openldap/ldap.conf r,
3. Restart the subdomain
/etc/rc.d/init.d/subdomain restart- This issue affected only 9.4.5.
Implementing the workarounds in SOL9530 & 9531 should have fixed your issue, but it looks like SOL9530 doesn't mention that the added line needs to go inside the brackets... I will check it out & correct the solutions as required
Thanks for posting back with the solution!
(and you're very welcome for the external monitor articles, Fred. :-))
/deb - FredR_30652Hi All,
I think i am too newbie on BIG-IP and i miss something on how it works.
SOL9530 and SOL9531 fix the problem , but as i add one more line in /usr/etc/openldap/ldap.conf for my internal CA cert (TLS_CACERT ./myCA.crt) it does not work. With only this line TLS_REQCERT never , no need for external monitor. Anyway , it was a good game to write this monitor.
Thanks for your help.
Fred.
My French is still better than my English.
