Forum Discussion

Blue_whale's avatar
Blue_whale
Icon for Cirrocumulus rankCirrocumulus
Jul 07, 2022

Why do we use username and password in Healthcheck Monitor ?

Hi Team , 

 

We have an LDAP VIP , and we could see the heathcheck monitor which is applied to the pool has username password enabled and used .

Why do we need to authenticate first before checking the services on the server ?

When do we really need to enable username/pasword option in monitoring ?

2 Replies

  • If you want to make a monitor to just check check the service then you can use tcp monitor on the port of the LDAP and this is called service check. The F5 LDAP monitor is an application monitor that checks the application itself so not only LDAP needs to reply but the reply is checked if it is valid.

     

    https://support.f5.com/csp/article/K17472

     

    If your AD server supports anonymous searches by specific source IP addresses you may create external bash script monitor with the "ldapsearch" linux comman that will log into the LDAP without password but I do not recommend it.

    https://support.f5.com/csp/article/K71282813

     

    https://support.f5.com/csp/article/K15811

  • WAY back, as a customer, I ran my LDAP through my BIG-IP 6400s. That is a feature that allows you to test authentication as a portion of your monitor. If the SLAPD manager password changes, or such, everything breaks.. but that can also be a good thing. If someone has changed your SLAPD manager password w/out your awareness, you become aware VERY quickly! 🙂 Also, as noted by Nikoolayy1, you do not NEED to do this with a TCP monitor. I just thought I'd expand on WHY you might want that: to test the protocol fully with a search in your monitor.