Forum Discussion
NimbostratusIs it possible to load balance ldap requests to Microsoft AD servers?
Our linux servers currently authenticate using ldap against Microsoft AD servers. Right now we are doing this using insecure ldap and we point directly at the AD servers. What we would like to do is use secure ldap and also run it through a VIP on the LB. Because of the way the certificates work on the AD servers I'm not exactly sure if this possible. I'm wondering if anyone has run into a similar situation.
Thanks, Dan
5 Replies
Cory_50405Noctilucent
We do this today in our environment without issue. It doesn't require any special configuration. We setup a virtual server for the LDAP requests and then built a pool of AD servers to assign to it. Works like a champ.
Have you tried configuring it and are having problems getting it to work?
- Kevin_Stewart
Employee
If I may add, if you want LDAP in the front and LDAPS in the back, just add a server SSL profile to your port 389 TCP VIP. LDAPS to LDAPS would be a port 636 VIP to port 636 pool members, with no SSL profiles.
dfinn_116037Kevin, I think I want the latter of what you just described. We want it to be encrypted end to end. I was thinking I was going to have issues with certificate mismatches but it seems like it may be working OK.
Wand_97484Hi Dan,
if you have the following setup: DC A Hostname DCA.myad.net DC B Hostname DCB.myad.net each of this hosts would have different Certificate installed to enable LDAPS at 626 (DC) or 3269 (GC) port.
Add a LTM ViP with SSL offload Hostname DCALL.myad.net and a Server SSL Profile. This will perform SSL offload at the LTM for the VIPname and re-encrypt to the DC's (if they are properly configured to accept LDAPs).
cheers
Jim_Larson_1062There is also a nice F5 Certified iApp for load balancing LDAP. I loaded balanced ports 636 (LDAP) and 3269 (Global Catalog) successfully using the iApp.
Jim
