To monitor the health of the LDAP servers, LDAP health monitor is used. This section covers the configuration for searching the LDAP servers using the LDAP health monitor. On successful search, the server will be marked UP
else, it will be marked DOWN
.
Configuring LDAP/LDAPS Health Monitor
Field |
Description |
Optional/ Mandatory |
---|---|---|
|
Enter the distinguished name (DN) of an entry. |
Mandatory |
|
Use this to define the attributes to be returned on search. To configure multiple attributes, use commas to separate the attributes (for example, cn,address,email). |
Optional |
|
Select the scope of search from one of the following:
|
Optional |
|
Filter to search entries within the specified scope |
Optional |
|
Enter the DN of the user, if the LDAP server requires authentication (present under general health monitor configuration under authentication) |
Optional |
|
Enter the password of user if the LDAP server requires authentication (present under general health monitor configuration under authentication) |
Optional |
|
Enter SSL Attributes in the case of LDAPS health monitor |
Mandatory for LDAPS Health Monitor |
Currently, LDAP/LDAPS health monitor can be configured only using the CLI.
A sample configuration of the LDAP health monitor is shown below:
[admin:avi-controller]: > configure healthmonitor ldap-hm [admin:avi-controller]: healthmonitor> type health_monitor_ldap [admin:avi-controller]: healthmonitor> authentication username cn=aviuser,ou=users,ou=system [admin:avi-controller]: healthmonitor:authentication> password xyz123 [admin:avi-controller]: healthmonitor:authentication> save [admin:avi-controller]: healthmonitor> ldap_monitor base_dn ou=system [admin:avi-controller]: healthmonitor:ldap_monitor> save [admin:avi-controller]: healthmonitor> save
A sample configuration for LDAPS health monitor is shown below:
[admin:avi-controller]: > configure healthmonitor ldaps-hm [admin:avi-controller]: healthmonitor> type health_monitor_ldaps [admin:avi-controller]: healthmonitor> authentication username cn=aviuser,ou=users,ou=system [admin:avi-controller]: healthmonitor:authentication> password xyz123 [admin:avi-controller]: healthmonitor:authentication> save [admin:avi-controller]: healthmonitor> ldaps_monitor base_dn ou=system [admin:avi-controller]: healthmonitor:ldaps_monitor> ssl_attributes ssl_profile_ref System-Standard [admin:avi-controller]: healthmonitor:ldaps_monitor:ssl_attributes> save [admin:avi-controller]: healthmonitor:ldaps_monitor> save [admin:avi-controller]: healthmonitor> save
The following are the SSL configurations that can be used for the LDAPS health monitor:
SSL Profile - Select an existing SSL Profile or create a new one, as required. This defines the ciphers and SSL versions to be used for the health monitor traffic to the back end servers.
PKI profile - Select an existing PKI profile or create a new one, as required. This will be used to validate the SSL certificate presented by the server.
SSL key and certificate - Select an existing SSL Key and Certificate or create a new one, as required.
When attributes are configured, the SE will match configured attributes in server response data. When the match is not found it marks the server
DOWN
.For lesser consumption of resources, configure specific
base_dn
having less number of entries with base scope so that server response data will not be large.