To monitor the health of the LDAP servers, LDAP health monitor is used. This section covers the configuration for searching the LDAP servers using the LDAP health monitor. On successful search, the server will be marked UP else, it will be marked DOWN.

Configuring LDAP/LDAPS Health Monitor

Configure LDAP/LDAPS settings in a health monitor using the following fields through the CLI.

Field

Description

Optional/ Mandatory

base_dn

Enter the distinguished name (DN) of an entry. base_dn is the starting point of the search

Mandatory

Attributes

Use this to define the attributes to be returned on search. To configure multiple attributes, use commas to separate the attributes (for example, cn,address,email).

Optional

Scope

Select the scope of search from one of the following:

  • Base: To search for information only about the base_dn specified inside directory

  • One: To search for information at one level below the base_dn specified inside directory

  • Sub: To search for information at all levels below the base_dn specified inside directory.

Optional

Filter

Filter to search entries within the specified scope

Optional

Username

Enter the DN of the user, if the LDAP server requires authentication (present under general health monitor configuration under authentication)

Optional

Password

Enter the password of user if the LDAP server requires authentication (present under general health monitor configuration under authentication)

Optional

SSL Attributes

Enter SSL Attributes in the case of LDAPS health monitor

Mandatory for LDAPS Health Monitor

Note:

Currently, LDAP/LDAPS health monitor can be configured only using the CLI.

A sample configuration of the LDAP health monitor is shown below:

[admin:avi-controller]: > configure healthmonitor ldap-hm
[admin:avi-controller]: healthmonitor> type health_monitor_ldap
[admin:avi-controller]: healthmonitor> authentication username cn=aviuser,ou=users,ou=system
[admin:avi-controller]: healthmonitor:authentication> password xyz123
[admin:avi-controller]: healthmonitor:authentication> save
[admin:avi-controller]: healthmonitor> ldap_monitor base_dn ou=system
[admin:avi-controller]: healthmonitor:ldap_monitor> save
[admin:avi-controller]: healthmonitor> save

A sample configuration for LDAPS health monitor is shown below:

[admin:avi-controller]: > configure healthmonitor ldaps-hm
[admin:avi-controller]: healthmonitor> type health_monitor_ldaps
[admin:avi-controller]: healthmonitor> authentication username cn=aviuser,ou=users,ou=system
[admin:avi-controller]: healthmonitor:authentication> password xyz123
[admin:avi-controller]: healthmonitor:authentication> save
[admin:avi-controller]: healthmonitor> ldaps_monitor base_dn ou=system
[admin:avi-controller]: healthmonitor:ldaps_monitor> ssl_attributes ssl_profile_ref System-Standard
[admin:avi-controller]: healthmonitor:ldaps_monitor:ssl_attributes> save
[admin:avi-controller]: healthmonitor:ldaps_monitor> save
[admin:avi-controller]: healthmonitor> save

The following are the SSL configurations that can be used for the LDAPS health monitor:

  • SSL Profile - Select an existing SSL Profile or create a new one, as required. This defines the ciphers and SSL versions to be used for the health monitor traffic to the back end servers.

  • PKI profile - Select an existing PKI profile or create a new one, as required. This will be used to validate the SSL certificate presented by the server.

  • SSL key and certificate - Select an existing SSL Key and Certificate or create a new one, as required.

Note:
  • When attributes are configured, the SE will match configured attributes in server response data. When the match is not found it marks the server DOWN.

  • For lesser consumption of resources, configure specific base_dn having less number of entries with base scope so that server response data will not be large.