Problem with _sys_auth_ldap iRule

Hi everybody,

 

 

I'm experincing the following problem with LDAP authentication.

 

 

I configured a virtual server on BIG-IP 9.2.3 that manages HTTPS traffic for a web application.

 

The virtual server

 

1) terminates the SSL connection and routes HTTP traffic to the application server;

 

2) authenticates users against an Active Directory LDAP server (the authentication scheme is HTTP basic authentication).

 

 

The virtual server configuration is very simple:

 

- there is only one pool assocuated with it;

 

- the pool contains only one node;

 

- no persistence profile is selected;

 

- the authentication profile references the default _sys_auth_ldap iRule.

 

- the virtual server config references another simple iRule that manages rewriting issues for HTTP 3xx redirect responses from the application server.

 

 

Everything works fine if only one user accesses the web application. However, if two users try to concurrently authenticate, the _sys_auth_ldap behaviour becomes unpredictable: sometimes the second user gets access to the application only after the first one has successfully authenticated; sometimes the authentication fails even if the credentials are correct; worse yet, sometimes ldap authentication becomes unavailable for all the virtual servers (reboot needed).

 

 

Any idea why this happens? If needed, I can provide a more detailed log of the concurrent authentication requests that make the problem show up.

 

 

Thank you,

 

 

f.