Forum Discussion
smp_86112
Cirrostratus
CirrostratusLDAP Authentication for LTM administration
Our LTM is configured to Remote - Active Directory authentication to validate administrators who are logging in. It seems that there is a long delay between the time I enter my credentials, and the time I am successfully logged in.
I took a tcpdump and captured the traffic between the LTM and the domain controller. From the trace I can see the LTM successfully binds to AD with an account we have designated for that purpose, looks up the account, and returns the search result. However, at that point, there is an exactly 60 second delay before the LTM sends a bind request for the administrator account. Once the request is made, the user is authenticated successfully in milliseconds.
The problem is that I can't seem to find any way to debug this behavior. Anyone seen it before? A simple telnet to the DC on the LDAP port comes back lightning fast, so the problem is not network. It seems the LTM is simply adding an unnecessary 60-second delay. This delay happens both at the admin GUI, SSH, and the console port.
- The_Bhattman
Nimbostratus
I have seen this behavior atleast with SSH and Telnet when the LTM has DNS resolvers listed but cannot querry DNS. I would suggest do double check that.
Thanks,
CB 
smp_86112OMG you are the MAN!
Thanks a ton!- Was it bad DNS settings?
- smp_86112This was a loooong time ago, but it appears I've documented several reasons for login delays - I've encountered this situation more than once. 1. Bind account locked out. Our AD does not allow anonymous queries, so we must bind to AD with a valid account in order to validate anyone else's credentials. We created an application ID for this specific purpose, and if it's locked out, no one's AD credentials can be validated which results in a delay (and an unsuccessful login). 2. DNS Search Domain in /etc/resolv.conf At some point, we had a **search localhost.com** directive in our /etc/resolv.conf. Since this was not a valid DNS domain in our environment, this entry caused a delay in DNS resolution. Commenting out this entry resolved this situation. 3. Invalid/impaired/inaccessible DNS server - this will also cause login delays. If the DNS has been changed, I have also found that I needed to restart the httpd service - this does not have any impact on LTM traffic processing. 4. Restart the httpd process - I've had to restart this process after updating DNS settings. HTH
