Forum Discussion

Dan_Markhasin_1's avatar
Dan_Markhasin_1
Icon for Nimbostratus rankNimbostratus
May 10, 2016

Retry LDAP connection on APM LDAP Auth?

Hi,

 

We are sometimes seeing sporadic failures in the APM log when it tries to authenticate users to LDAP. I'm trying to figure out if there is any way to make it retry the authentication attempt if it encountered a timeout.

 

According to this document, in 11.2 there was an option to specify "Retries" in the AAA configuration in APM, but we are running 11.5.3 and there is no such option there.

 

Does anyone know what is the best method to retry the LDAP authentication if it fails due to a timeout?

 

application delivery
BIG-IP Access Policy Manager (APM)
  • Yann_Desmarest_'s avatar
    Yann_Desmarest_
    May 10, 2016

    Hello,

     

    Even in 11.5.3, you have an option in the ldap auth to manage the number of attempts. You can also define a macro that have a login page and a ldap auth/query and end with a loop. So you can define a loop and the number of loop attempts in the macro ending

     

  • Yann_Desmarest_'s avatar
    Yann_Desmarest_
    Icon for Nacreous rankNacreous
    May 10, 2016

    Hello,

     

    Even in 11.5.3, you have an option in the ldap auth to manage the number of attempts. You can also define a macro that have a login page and a ldap auth/query and end with a loop. So you can define a loop and the number of loop attempts in the macro ending

     

    • Yann_Desmarest_'s avatar
      Yann_Desmarest_
      Icon for Nacreous rankNacreous
      May 10, 2016
      You can also take a decision to loop in the macro if the following variable indicates a timeout: session.ldap.last.errmsg
    • Dan_Markhasin_1's avatar
      Dan_Markhasin_1
      Icon for Nimbostratus rankNimbostratus
      May 11, 2016
      Thanks, I will try that. I was hoping that there would be an easier way to do it, since for RADIUS servers there is a very simple Retries attribute in the AAA server config, which is oddly missing for LDAP servers.
  • Yann_Desmarest's avatar
    Yann_Desmarest
    Icon for Cirrus rankCirrus
    May 10, 2016

    Hello,

     

    Even in 11.5.3, you have an option in the ldap auth to manage the number of attempts. You can also define a macro that have a login page and a ldap auth/query and end with a loop. So you can define a loop and the number of loop attempts in the macro ending

     

    • Yann_Desmarest's avatar
      Yann_Desmarest
      Icon for Cirrus rankCirrus
      May 10, 2016
      You can also take a decision to loop in the macro if the following variable indicates a timeout: session.ldap.last.errmsg
    • Dan_Markhasin_1's avatar
      Dan_Markhasin_1
      Icon for Nimbostratus rankNimbostratus
      May 11, 2016
      Thanks, I will try that. I was hoping that there would be an easier way to do it, since for RADIUS servers there is a very simple Retries attribute in the AAA server config, which is oddly missing for LDAP servers.