LDAP Password Expiry and CHanges through APM

There is a F5 article on how to do this, but I had trouble finding it the first time (and now). Here's an external link on how to do it. http://f5admin.blogspot.com/2012/11/load-balancing-microsoft-active.html

Create a local VIP for your favorite LDAP port, put a pool behind it, put your LDAP servers in the pool. You'll need an LDAP monitor, this is the only tricky part. Using an LDAP debug tool (ldp.exe, or newer) you will have to create a LDAP search string to put in the monitor.

You will need credentials in the LDAP monitor, this calls for a dedicated service account where the credentials don't expire.

Some hints - we've had intermittent issues when we bind the LDAP VIP to a local network IP (say on the management or LAN segment. Suggest creating a loopback (private) segment by putting a network cable on two physical ports, then binding a non-routable segment to this loopback. Then put your VIP on this segment, now it can only be used by the F5.

Limit the LDAP search scope as tight as possible. If your LDAP search scope is from the top down of AD, you could have slow authentication performance while it trolls through sub-OU's looking for your user accounts. Limit the scope of the returned search data, you can minimize your return from 10kbytes to 2 or 3.