Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Load-balancing Active Directory - How to preserve Source IP

Bryan_T_
Nimbostratus
Nimbostratus

‎01-Sep-2020 08:53

I'm load-balancing active directory port 389 and it's working great. The only issue is sometimes clients connect to the VIP and lockout the AD service-accounts. When they look at the domain-controller logs the admins can't find the source-ip of the client because every request comes from the F5 self-ip (automap). How can the source-ip of the request either be logged or inserted into the AD traffic? If this were HTTP I would use the X-Forwarder-For header, but it's not HTTP. 

 

Thank you

Labels:
0 Kudos
3 REPLIES 3

Dario_Garrido
MVP
MVP

‎01-Sep-2020 09:38

Hello Bryan.

 

Check this:

https://devcentral.f5.com/s/question/0D51T00007BG1Pc/insert-client-ip-address-on-ldap-vs

 

Regards,

Dario.

Regards,
Dario.
0 Kudos

Bryan_T_
Nimbostratus
Nimbostratus
In response to Dario_Garrido

‎02-Sep-2020 09:43

Thanks. That is interesting but doesn't really help in a practical sense as you won't be able to correlate the source ip with the BIND request that actually locked out the account.

0 Kudos

Dario_Garrido
MVP
MVP
In response to Bryan_T_

‎02-Sep-2020 10:17

Hello Bryan.

 

It's not possible to inject source IP into an AD request, the same way as with HTTP XFF.

The only way is to disable automap.

 

In the link shows an example of how to log AD queries by user/real-IP to an external syslog server. Maybe it's a higher level of complexity than you were looking for, but if you find a way to let AD to check those logs before taking the decission to lockout some user, that would be a way to workaround your issue.

 

I know it's hard, but sometimes customer requirements are too unrealistic :-).

 

Regards,

Dario.

Regards,
Dario.
0 Kudos
Copyright © 2022 Khoros, LLC