Forum Discussion

raZorTT's avatar
raZorTT
Icon for Cirrostratus rankCirrostratus
Jan 30, 2018

LDAP monitor behaviour

Hi

Just wanted to check that my understanding of how an LDAP monitor behaves. Forgive the long background 😉

We had an incident where users couldn't authenticate because an AD Query in our access policy was failing.

AD agent: Query: query with '(|(sAMAccountName=bloggsjoe))' failed

Our current monitor still had the domain controller as up, so all users attempting to authenticate from that point failed. We forced the domain controller offline so it would send to the next in the pool (priority group), and users were able to authenticate.

I am looking to configure an LDAP monitor to attach to the pool of controllers used to authenticate users. It is configured to do an ldap search looking for a particular account. I have mandatory attributes set to true, so if the search fails it should mark the member down.

ltm monitor ldap /Common/ldap_dc_monitor {
base "OU=Service Accounts,DC=prod,DC=local"
chase-referrals yes
debug no
defaults-from /Common/ldap
description "LDAP monitor for domain controllers used for auth"
destination *:389
filter sAMAccountName=f5_apm
interval 10
mandatory-attributes yes
password ***********
security tls
time-until-up 0
timeout 31
username f5_apm@prod.local
}

I'm hoping this monitor will mimic the AD query, so if we have an occurrence where the primary domain controller has an issue with the search, it will be marked down and the next in the priority group will take over.

If I change the filter to something I know will fail I can see the pool members get marked down. However what I wasn't expecting was it takes the full timeout before it gets marked down.

I turned on debug and tailed the monitors log file for the primary controller. I could see the response from the controller come back straight away, but it still waits the full timeout before bringing the member down

no attributes were received for filter 'SAMAccountName=blah'

Is that expected behaviour? I was expecting the member to be marked down as soon as the above response was received

Cheers, Simon

1 Reply

  • LTM is normally setup to fail 3 tests + 1 sec, only then mark down. That is the normal setup.

     

    The behaviour you want is the default for GTM monitor for example. In that case is common to change the behaviour to be like LTM. You do this changing the option ignore response down.

     

    You can't do the same as in the GTM, however, you can change the timeout. The default interval is 10 sec, you can setup the timeout to 10 sec. It does not mark down immediately, but it does not wait for 3 attempts.