Hi Team ,
We have an LDAP VIP , and we could see the heathcheck monitor which is applied to the pool has username password enabled and used .
Why do we need to authenticate first before checking the services on the server ?
When do we really need to enable username/pasword option in monitoring ?
07-Jul-2022 09:44 - edited 07-Jul-2022 09:45
If you want to make a monitor to just check check the service then you can use tcp monitor on the port of the LDAP and this is called service check. The F5 LDAP monitor is an application monitor that checks the application itself so not only LDAP needs to reply but the reply is checked if it is valid.
If your AD server supports anonymous searches by specific source IP addresses you may create external bash script monitor with the "ldapsearch" linux comman that will log into the LDAP without password but I do not recommend it.
WAY back, as a customer, I ran my LDAP through my BIG-IP 6400s. That is a feature that allows you to test authentication as a portion of your monitor. If the SLAPD manager password changes, or such, everything breaks.. but that can also be a good thing. If someone has changed your SLAPD manager password w/out your awareness, you become aware VERY quickly! 🙂 Also, as noted by @Nikoolayy1, you do not NEED to do this with a TCP monitor. I just thought I'd expand on WHY you might want that: to test the protocol fully with a search in your monitor.