F5 Load Balancers and Sun Directory Servers

An IP load balancer, is often used to load balance Directory Servers. (Although far better and feature rich load balancing can be achieved with Sun Java System Directory Proxy Server).
If you choose to use a load balancer such as a BIG-IP F5, then please configure the F5 as follows:
Create an LDAP monitor that will execute a bind against the Directory Server. This is preferable to a standard TCP health check because:
  1. A simple TCP health check does not perform as complete an LDAP operation as a BIND
  2. The LDAP server does not know how to handle the simple TCP health check properly and thus in your Sun Directory Server logs you will likely see 4164 or 4166 errors.

  3. Complete the simple F5 configuration web form with relevant details from your Directory Server.
    1. 'user name': enter an LDAP user that has no rights to important data in the Directory, ideally an ACI that only gives privileges to the use and nothing else. This ensures that if anyone compromises these credentials they cannot access other data. Sample ACI that only allows the F5 user to modify their own password.
      aci: (targetattr = "userPassword") ( version 3.0; acl "allow 
      userpassword self modification"; allow (write) userdn = "ldap:///self";)
    2. 'password': the password for the user
    3. 'Base': base DN
    4. 'Filter;: if your user is in it's own OU no need to filter anything
    5. 'Security': select yes if you wish to test LDAPS (LDAP over SSL)


Comments:

If you need to perform basic LDAP load balancing using the F5 LTM, and end to end LDAP over SSL is a security requirement, turn off the SSL client and server profiles (set to "NONE"), but still use the SSL port (tcp/636 is the standard LDAPS port), on both the client and server profiles on the F5 LTM.
The LTM just passes the LDAPS from the client to the server, without decrypting and re-encrypting.
This does take away the possibility to do some other creative things that we like to do with HTTP(S) traffic,
such as inspecting the traffic, inserting cookies, etc, but this should be acceptable for pure and simple LDAP loadbalancing. Of course thorough testing in your environment is always required, as this method may not be a solution in all cases.
This was tested using SUN DSEE 6.2, F5 LTM with BIGIP 9.4.1 and LdapBrowser 2.8.2.

Posted by Pete Francois on November 29, 2007 at 10:59 PM PST #

One of the issues we have experienced while using the F5 is the inability to find the host whenever there are problem clients. The F5 NATs the connection and therefore we have to enable special logging to find the problem client.

Posted by Darrell Durggin on July 29, 2008 at 06:58 AM PDT #

Darrell
Thanks for your comment
Try Directory server access logs. The access log will show you who initiated the LDAP bind.
Or turn on Directory server auditing temporarily as audit logging does use more server resoruces.

Posted by Jonathan Gershater on July 29, 2008 at 07:13 AM PDT #

Jonathan,

The access logs will not show the ip of the offending host. It will only show the ip of the F5. One issue we've had is that some hosts open tcp connections on port 636 and do not properly close them. This results in server failures.

Posted by Darrell Durggin on July 30, 2008 at 01:58 AM PDT #

Darrell, check out a paper of mine here, in case some of your clients are misconfigured, else try F5 tech support

http://www.sun.com/bigadmin/features/articles/nis_ldap_part1.jsp

Posted by Jonathan Gershater on July 30, 2008 at 04:28 AM PDT #

Post a Comment:
Comments are closed for this entry.
About

Jonathan Gershater

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today