For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Timothy_92333's avatar
Timothy_92333
Icon for Nimbostratus rankNimbostratus
Oct 01, 2014

LDAP Monitor Debug

Folks,

I've been looking over a few posts that have mentioned LDAP monitors to understand the DEBUG option. I've enabled DEBUG on a couple of LDAP monitors because there are intermittent log entries suggesting that a pool member is failing their health checks. Unfortunately for me, the monitor is communicating through SSL so I can't just do a sniff to see what's happening. I foolishly thought that using DEBUG might proffer an insight.

Here is the configuration of the monitor (details changed to protect the guilty):

ltm monitor ldap e7_server_ldaps {
    base cn=healthcheck,cn=localhost
    chase-referrals no
    debug yes
    defaults-from ldaps_template
    destination *.10636
    filter (&(objectclass=healthCheck)(isalive=true))
    interval 30
    mandatory-attributes yes
    partition Common
    password letmein
    security ssl
    time-until-up 0
    timeout 1
    up-interval 60
    username cn=e7healthcheck,ou=servers,dc=com
}

With debug turned on, this is the style of output that I'm getting:

********** Debugging session beginning at: Wed Oct  1 14:26:08 2014

Arguments 1-2:
::ffff:1.1.1.1
10636

Environment variables:
BASE=cn=healthcheck,cn=localhost
CHASE_REFERRALS=no
DEBUG=yes
FILTER=(&(objectclass=healthCheck)(isalive=true))
MANDATORYATTRS=yes
MON_TMPL_NAME=/Common/e7_server_ldaps
NODE_IP=::ffff:1.1.1.1
NODE_PORT=10636
PASSWORD=letmein
SECURITY=ssl
USERNAME=cn=e7healthcheck,ou=servers,dc=com
--
Host URL: ldaps://[::ffff:1.1.1.1]:10636


********** Debugging session beginning at: Wed Oct  1 14:26:38 2014

Arguments 1-2:

... and so on.

What I thought the DEBUG was going to offer was what the pool member returned. But as it stands, the health check has been failing consistently for the last couple of hours and not a hint from the DEBUG.

Other than turning off SSL so I can see the plaintext in a sniff, is there something I'm missing with the DEBUG? Is there something else I can do to see what the specific issue is?

Timothy

application delivery
LTM

1 Reply

  • Ian_Mahuron_383's avatar
    Ian_Mahuron_383
    Historic F5 Account
    Oct 15, 2014

    The LDAP monitor's debug messages tend to be on the negative side. That is, they accompany hard errors and there are very few informational messages. In fact, you're seeing one of the few informational messages, "Host URL". In this particular case, no news is good news. You can safely assume that a request was sent and the response was handled. If I were to take a guess, I'd say the LDAP server send back no results, thus no "Up".

     

    Try simulating your query using ldapsearch from the TMOS command line. It may provide some insight as to why your monitors are failing.