Forum Discussion

FishNiX_29746's avatar
FishNiX_29746
Icon for Nimbostratus rankNimbostratus
May 12, 2010

Help with LDAPS health monitor v9.4.8

We are trying to load balance some members which vend ldaps with selfsigned certs. I don't really want to import the CA or anything like that... but I am unable to get the members to go active. The members have reverse DNS that matches the cert name (which the F5 Config Guide says is required). 

  b monitor ad_ldaps_monitor list
monitor ad_ldaps_monitor {
   defaults from ldap
   debug "no"
   mandatoryattrs "no"
   password "xxxxxxxxx"
   security "ssl"
   username "xxxxxxx"
   passwd "xxxxxxxx"
}

 b pool addev_pool_ldaps  list
pool addev_pool_ldaps {
   lb method least conn
   monitor all ad_ldaps_monitor
   members
      111.111.111.111:ldaps
      222.222.222.222:ldaps
      333.333.333.333:ldaps
}
We are running 9.4.8 so I don't believe we are effected by the bug in 9.4.5
config
design
  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    May 13, 2010
    What happens when you simulate the ldaps monitoring using ldapsearch (As in SOL9311 - https://support.f5.com/kb/en-us/solutions/public/9000/300/sol9311.html)

     

     

    H
  • iaine's avatar
    iaine
    Icon for Nacreous rankNacreous
    May 14, 2010
    We had a similar problem when we upgraded to 9.4.5 a couple of years a go. I don't know if it's still relevant for your version but these are steps that we followed that F5 support forwarded on.

     

     

    Iain

     

     

    1. The new openldap installation uses /usr/etc/openldap/ldap.conf as its config file by default. Also the new library requires certificate checking by default. In this ldap.conf file you need to add the line:

     

    TLS_REQCERT never

     

    NOTE: The cr I file will change the config file the openldap library uses back to /etc/ldap.conf to avoid changes in 2 following.

     

    2. Unfortunately subdomain does not allow access to this newly formed ldap.conf file, you need to add this for it to work.

     

    2a. Add the following line to /etc/subdomain.d/usr.bin.bigd:

     

    /usr/etc/openldap/ldap.conf r,

     

    2b. restart subdomain:

     

    /etc/rc.d/init.d/subdomain restart
  • FishNiX_29746's avatar
    FishNiX_29746
    Icon for Nimbostratus rankNimbostratus
    May 24, 2010
    Thanks for the help! To close the loop, here is what worked. 
    
monitor ad_ldaps_monitor {
   defaults from ldap
   base "cn=Users,dc=fu,dc=foobar,dc=net"
   debug "no"
   filter "cn=user1"
   mandatoryattrs "no"
   password "xxxxxxxxx"
   security "ssl"
   username "cn=user1,cn=Users,dc=fu,dc=foobar,dc=net"
   passwd "xxxxxxxxx"
}