Showing results for 
Search instead for 
Did you mean: 

Load-balancing Active Directory - How to preserve Source IP


I'm load-balancing active directory port 389 and it's working great. The only issue is sometimes clients connect to the VIP and lockout the AD service-accounts. When they look at the domain-controller logs the admins can't find the source-ip of the client because every request comes from the F5 self-ip (automap). How can the source-ip of the request either be logged or inserted into the AD traffic? If this were HTTP I would use the X-Forwarder-For header, but it's not HTTP. 


Thank you


Thanks. That is interesting but doesn't really help in a practical sense as you won't be able to correlate the source ip with the BIND request that actually locked out the account.

Hello Bryan.


It's not possible to inject source IP into an AD request, the same way as with HTTP XFF.

The only way is to disable automap.


In the link shows an example of how to log AD queries by user/real-IP to an external syslog server. Maybe it's a higher level of complexity than you were looking for, but if you find a way to let AD to check those logs before taking the decission to lockout some user, that would be a way to workaround your issue.


I know it's hard, but sometimes customer requirements are too unrealistic :-).