Join Log in
Score:0
N. J avatar Server

Load Balancer for LDAP(S)

cn flag
N. J

I have created a load balancer in the cloud with backend servers running FreeIPA.
When I try to run:

$ ldapsearch -x -H ldap:<IP-ADDRESS> -b "dc=example,dc=com
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

However, it's possible to contact each of the server:

$ ldapsearch -x -H ldap:<NODE1-ADDRESS> -b "dc=example,dc=com
# extended LDIF
#
# LDAPv3
...

$ ldapsearch -x -H ldap:<NODE2-ADDRESS> -b "dc=example,dc=com
# extended LDIF
#
# LDAPv3
...

In theory, shouldn't I be able to run the command ldapsearch -x -H ldap:<IP-ADDRESS> -b "dc=example,dc=com?

EDIT: What LB configuration has been done from my side
The servers and the load balancer can be found in the same subnet

Security Rules (Traffic allowed) Ingress: 22, 53, 80, 88, 389, 636, 443 Egress: All

Backend/Backend sets:

  • Server: Node1 Port: 389
  • Server: Node2 Port: 389
  • Server: Node1 Port: 636
  • Server: Node2 Port: 636

Listeners

  • Server: Node1 Port: 389
  • Server: Node2 Port: 389
  • Server: Node1 Port: 636
  • Server: Node2 Port: 636

Health checks:

  • Health checking TCP port 389/636.
98
0 + 7
HBruijn avatar
in flag
HBruijn
That error suggests that your load balancer is not configured with (correct) rules to accept incoming LDAP traffic and load balance it correctly AND/OR your load balancing method may require on additional configuration of the back-end servers
1
Reply
N. J avatar
cn flag
N. J
Thanks @HBrujin. The load balancer accepts the same incoming traffic as the two nodes. I've open both ldap and ldaps using protocol TCP.
0
Reply
HBruijn avatar
in flag
HBruijn
And yet when contacting your *"load balancer in the cloud"* you get a `Can't contact LDAP server` error message. From our side of the question we can't see what you're doing right, doing wrong or missing. Please add sufficient details: What load balancing mechanism did you configure for the LDAP traffic/port(s) , what rules, is there a (successful) health check involved for the back end servers etc. etc. etc. Just opening port 389 on a loadbalancer does not make it load balance LDAP traffic. (which is what your comment suggests as the only thing you did.)
0
Reply
N. J avatar
cn flag
N. J
So... There's security rules that allow ingress traffic to port 389/636 etc. I've created healthchecks to the backends servers specifically on the LDAP/LDAPS ports, which reports back "Healthy". However, I'm still you're right from your first commen, since I tried to make a similar backend/backend set for SSH connection (just for test), which doesn't seem to work, either.
0
Reply
HBruijn avatar
in flag
HBruijn
Depending on the load balancer, in addition to a back-end you also need a front end / listener / ingress definition on the load balancer and link the LDAP port(s) on the load balancer to those back-ends
0
Reply
N. J avatar
cn flag
N. J
@HBruijn, I appreciate your comments. I'll go back to the drawing board to see what I did wrong. This is a NLB in OCI.
0
Reply
N. J avatar
cn flag
N. J
@HBruijn, I tried to create a new similar network load balancer turning off the option: `is_preserve_source_destination`, meaning setting it to `false`. I was then able to access my backends. Any reason for this?
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.