LDAP/LDAPS Health Monitor

Overview

To monitor the health of the LDAP servers, an LDAP health monitor is used. This article covers the configuration for searching the LDAP servers using the LDAP health monitor. On successful search, the server will be marked Up else, it will be marked down.

Configuring LDAP/LDAPS Health Monitor

The configuration options for searching LDAP servers are as explained below:

Field Description Optional/ Mandatory
base_dn Enter the distinguished name (DN) of an entry. base_dn is the starting point of the search Mandatory
Attributes Use this to define the attributes to be returned on search. To configure multiple attributes, use commas to separate the attributes (for example, cn,address,email). Optional
Scope Select the scope of search from one of the following:
  • Base: To search for information only about the base_dn specified inside directory
  • One: To search for information at one level below the base_dn specified inside directory
  • Sub: To search for information at all levels below the base_dn specified inside directory.
 Optional
Filter Filter to search entries within the specified scope Optional
Username Enter the DN of the user, if the LDAP server requires authentication (present under general health monitor configuration under authentication) Optional
Password Enter the password of user if the LDAP server requires authentication (present under general health monitor configuration under authentication) Optional
SSL Attributes Enter SSL Attributes in case of LDAPS health monitor Mandatory for LDAPS Health Monitor

Note: Currently LDAP/LDAPS health monitor can be configured only using the CLI.

A sample configuration of the LDAP health monitor is as shown below:

 
[admin:avi-controller]: > configure healthmonitor ldap-hm
[admin:avi-controller]: healthmonitor> type health_monitor_ldap
[admin:avi-controller]: healthmonitor> authentication username cn=aviuser,ou=users,ou=system
[admin:avi-controller]: healthmonitor:authentication> password xyz123
[admin:avi-controller]: healthmonitor:authentication> save
[admin:avi-controller]: healthmonitor> ldap_monitor base_dn ou=system
[admin:avi-controller]: healthmonitor:ldap_monitor> save
[admin:avi-controller]: healthmonitor> save

A sample configuration for LDAPS health monitor is as shown below:

 
[admin:avi-controller]: > configure healthmonitor ldaps-hm
[admin:avi-controller]: healthmonitor> type health_monitor_ldaps
[admin:avi-controller]: healthmonitor> authentication username cn=aviuser,ou=users,ou=system
[admin:avi-controller]: healthmonitor:authentication> password xyz123
[admin:avi-controller]: healthmonitor:authentication> save
[admin:avi-controller]: healthmonitor> ldaps_monitor base_dn ou=system
[admin:avi-controller]: healthmonitor:ldaps_monitor> ssl_attributes ssl_profile_ref System-Standard
[admin:avi-controller]: healthmonitor:ldaps_monitor:ssl_attributes> save
[admin:avi-controller]: healthmonitor:ldaps_monitor> save
[admin:avi-controller]: healthmonitor> save

The following are the SSL configurations that can be used for LDAPS health monitor:

  • SSL Profile — Select an existing SSL Profile or create a new one, as required. This defines the ciphers and SSL versions to be used for the health monitor traffic to the backend servers.

  • PKI profile — Select an existing PKI profile or create a new one, as required. This will be used as to validate the SSL certificate presented by the server.

  • SSL key and certificate — Select an existing SSL Key and Certificate or create a new one, as required.

Notes:

  • When attributes are configured, the SE will match configured attributes in server response data. When the match is not found it marks the server down.
  • For lesser consumption of resources, configure specific base_dn having less number of entries with base scope so that server response data will not be large.