LDAP/LDAPS Health Monitor

To monitor the health of the LDAP servers, LDAP health monitor is used. This section covers the configuration for searching the LDAP servers using the LDAP health monitor. On successful search, the server will be marked UP else, it will be marked DOWN.

Configuring LDAP/LDAPS Health Monitor

Configure LDAP/LDAPS settings in a health monitor using the following fields through the CLI.


Field	Description	Optional/ Mandatory
`base_dn`	Enter the distinguished name (DN) of an entry. `base_dn` is the starting point of the search	Mandatory
`Attributes`	Use this to define the attributes to be returned on search. To configure multiple attributes, use commas to separate the attributes (for example, cn,address,email).	Optional
`Scope`	Select the scope of search from one of the following: Base: To search for information only about the `base_dn` specified inside directory One: To search for information at one level below the `base_dn` specified inside directory Sub: To search for information at all levels below the `base_dn` specified inside directory.	Optional
`Filter`	Filter to search entries within the specified scope	Optional
`Username`	Enter the DN of the user, if the LDAP server requires authentication (present under general health monitor configuration under authentication)	Optional
`Password`	Enter the password of user if the LDAP server requires authentication (present under general health monitor configuration under authentication)	Optional
`SSL Attributes`	Enter SSL Attributes in the case of LDAPS health monitor	Mandatory for LDAPS Health Monitor

Note:

Currently, LDAP/LDAPS health monitor can be configured only using the CLI.

A sample configuration of the LDAP health monitor is shown below:

[admin:avi-controller]: > configure healthmonitor ldap-hm
[admin:avi-controller]: healthmonitor> type health_monitor_ldap
[admin:avi-controller]: healthmonitor> authentication username cn=aviuser,ou=users,ou=system
[admin:avi-controller]: healthmonitor:authentication> password xyz123
[admin:avi-controller]: healthmonitor:authentication> save
[admin:avi-controller]: healthmonitor> ldap_monitor base_dn ou=system
[admin:avi-controller]: healthmonitor:ldap_monitor> save
[admin:avi-controller]: healthmonitor> save

A sample configuration for LDAPS health monitor is shown below:

[admin:avi-controller]: > configure healthmonitor ldaps-hm
[admin:avi-controller]: healthmonitor> type health_monitor_ldaps
[admin:avi-controller]: healthmonitor> authentication username cn=aviuser,ou=users,ou=system
[admin:avi-controller]: healthmonitor:authentication> password xyz123
[admin:avi-controller]: healthmonitor:authentication> save
[admin:avi-controller]: healthmonitor> ldaps_monitor base_dn ou=system
[admin:avi-controller]: healthmonitor:ldaps_monitor> ssl_attributes ssl_profile_ref System-Standard
[admin:avi-controller]: healthmonitor:ldaps_monitor:ssl_attributes> save
[admin:avi-controller]: healthmonitor:ldaps_monitor> save
[admin:avi-controller]: healthmonitor> save

The following are the SSL configurations that can be used for the LDAPS health monitor:

SSL Profile - Select an existing SSL Profile or create a new one, as required. This defines the ciphers and SSL versions to be used for the health monitor traffic to the back end servers.
PKI profile - Select an existing PKI profile or create a new one, as required. This will be used to validate the SSL certificate presented by the server.
SSL key and certificate - Select an existing SSL Key and Certificate or create a new one, as required.

Note:

When attributes are configured, the SE will match configured attributes in server response data. When the match is not found it marks the server DOWN.
For lesser consumption of resources, configure specific base_dn having less number of entries with base scope so that server response data will not be large.