Forum Discussion
Jason_46956
Nimbostratus
NimbostratusLDAP Password Expiry and CHanges through APM
All,
We are migrating a whole suite of applications from Aventail appliances to some new F5 appliances. To replace the Aventail authentication functionality we are using the APM module to pr...
umiotoko_95283Nimbostratus
NimbostratusThere is a F5 article on how to do this, but I had trouble finding it the first time (and now). Here's an external link on how to do it. http://f5admin.blogspot.com/2012/11/load-balancing-microsoft-active.html
Create a local VIP for your favorite LDAP port, put a pool behind it, put your LDAP servers in the pool. You'll need an LDAP monitor, this is the only tricky part. Using an LDAP debug tool (ldp.exe, or newer) you will have to create a LDAP search string to put in the monitor.
You will need credentials in the LDAP monitor, this calls for a dedicated service account where the credentials don't expire.
Some hints - we've had intermittent issues when we bind the LDAP VIP to a local network IP (say on the management or LAN segment. Suggest creating a loopback (private) segment by putting a network cable on two physical ports, then binding a non-routable segment to this loopback. Then put your VIP on this segment, now it can only be used by the F5.
Limit the LDAP search scope as tight as possible. If your LDAP search scope is from the top down of AD, you could have slow authentication performance while it trolls through sub-OU's looking for your user accounts. Limit the scope of the returned search data, you can minimize your return from 10kbytes to 2 or 3.
I do not believe you need to attach a cable to create a non-routable network segment. I would imagine the only time you may need to use a cable is in an active-active scenario, where either unit may need access to the virtual services in that range. If you are only running active-standby, then I believe you could forgo assigning an interface to the VLAN entirely.