F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

inayamat_216028's avatar
inayamat_216028
Icon for Nimbostratus rankNimbostratus
Nov 24, 2015

Problem Load-balancing LDAP with GSSAPI using SASL Authentication

Hello,   We are trying to perform LDAP Load-balancing with F5 BIG-IP 12.0.0 Build 0.0.606 Final VE on port 389 using Windows 2012 R2 Active Directory Domain Controllers as pool members.   We ha...
application delivery
BIG-IP
iRules
Kai_Wilke's avatar
Kai_Wilke
Icon for MVP rankMVP
Apr 09, 2017

Hi inayamat, hi Yves,

 

SASL/GSSAPI depends on Kerberos session keys devired from TGS Tickets to authenticate and secure the LDAP(S) connection.

 

Whenever Load-Balancing meets Kerberos, you have to make sure that the load balanced services are all running under the same Service-Account, so that a single DNS Entry >> SPN Record >> Kerberos-TGS can be used to access and authenticate against every single pool member (its a MUST have).

 

Unfortunately an Active Directory Domain Controller can not be configured to use custom Service-Account to run its AD-LDAP Database. It will always use its Computer-Account identity and therefor simply won't work in a load balanced cluster.

 

Note: With AD LDS (Active Directory Lightweight Directory Services) you can configure a LDAP Service-Account of your choice, so that using LDAP-SASL/GSSAPI in combination with Load-Balancing isn't a problem anymore...

 

Note: You can also try to use a non-existen DNS Name while accessing the load balanced LDAPs. This will result normaly in a failback to NTLM. But keep in mind that its not garanteed that every client is able to perform the failback...

 

Cheers, Kai