F5 Load Balancers and Sun Directory Servers

An IP load balancer, is often used to load balance Directory Servers. (Although far better and feature rich load balancing can be achieved with Sun Java System Directory Proxy Server).
If you choose to use a load balancer such as a BIG-IP F5, then please configure the F5 as follows:
Create an LDAP monitor that will execute a bind against the Directory Server. This is preferable to a standard TCP health check because:

  1. A simple TCP health check does not perform as complete an LDAP operation as a BIND
  2. The LDAP server does not know how to handle the simple TCP health check properly and thus in your Sun Directory Server logs you will likely see 4164 or 4166 errors.
  3. Complete the simple F5 configuration web form with relevant details from your Directory Server.

    1. ‘user name’: enter an LDAP user that has no rights to important data in the Directory, ideally an ACI that only gives privileges to the use and nothing else. This ensures that if anyone compromises these credentials they cannot access other data. Sample ACI that only allows the F5 user to modify their own password.
      aci: (targetattr = "userPassword") ( version 3.0; acl "allow 
      userpassword self modification"; allow (write) userdn = "ldap:///self";)
    2. ‘password’: the password for the user
    3. ‘Base’: base DN
    4. ‘Filter;: if your user is in it’s own OU no need to filter anything
    5. ‘Security’: select yes if you wish to test LDAPS (LDAP over SSL)


5 thoughts on “F5 Load Balancers and Sun Directory Servers

  1. If you need to perform basic LDAP load balancing using the F5 LTM, and end to end LDAP over SSL is a security requirement, turn off the SSL client and server profiles (set to "NONE"), but still use the SSL port (tcp/636 is the standard LDAPS port), on both the client and server profiles on the F5 LTM.
    The LTM just passes the LDAPS from the client to the server, without decrypting and re-encrypting.
    This does take away the possibility to do some other creative things that we like to do with HTTP(S) traffic,
    such as inspecting the traffic, inserting cookies, etc, but this should be acceptable for pure and simple LDAP loadbalancing. Of course thorough testing in your environment is always required, as this method may not be a solution in all cases.
    This was tested using SUN DSEE 6.2, F5 LTM with BIGIP 9.4.1 and LdapBrowser 2.8.2.

  2. One of the issues we have experienced while using the F5 is the inability to find the host whenever there are problem clients. The F5 NATs the connection and therefore we have to enable special logging to find the problem client.

  3. Darrell
    Thanks for your comment
    Try Directory server access logs. The access log will show you who initiated the LDAP bind.
    Or turn on Directory server auditing temporarily as audit logging does use more server resoruces.

  4. Jonathan,
    The access logs will not show the ip of the offending host. It will only show the ip of the F5. One issue we’ve had is that some hosts open tcp connections on port 636 and do not properly close them. This results in server failures.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s