Custom LDAP Monitor Does Not Work

Custom LDAP Monitor Does Not Work

https://www.poppelgaard.com/netscaler-case-study-custom-ldap-monitor-does-not-work

Problem Definition

A customer tried to configure custom LDAP monitor, but the monitor failed after it was bound to a load balancing service.

Troubleshooting Steps

The Technical Support Engineers used the nsumon-debug.pl script from the /nsconfig/monitors directory:

root@NS# cd /nsconfig/monitors
root@NS# ls -ltr
total 68
-r-xr-xr-x 1 root wheel 8784 Dec 21 06:08 nswi.pl
-r-xr-xr-x 1 root wheel 2517 Dec 21 06:08 nsumon-debug.pl
-r-xr-xr-x 1 root wheel 3184 Dec 21 06:08 nssnmp.pl
-r-xr-xr-x 1 root wheel 1453 Dec 21 06:08 nssmtp.pl
-r-xr-xr-x 1 root wheel 2509 Dec 21 06:08 nsrdp.pl
-r-xr-xr-x 1 root wheel 2392 Dec 21 06:08 nspop3.pl
-r-xr-xr-x 1 root wheel 3742 Dec 21 06:08 nsntlm-lwp.pl
-r-xr-xr-x 1 root wheel 2769 Dec 21 06:08 nsnntp.pl
-r-xr-xr-x 1 root wheel 2979 Dec 21 06:08 nsmysql.pl
-r-xr-xr-x 1 root wheel 3113 Dec 21 06:08 nsftp.pl
-r-xr-xr-x 1 root wheel 14010 Dec 21 06:08 nsall.pl
drwxr-xr-x 3 root wheel 512 Feb 1 07:18 perl_mod
-r-xr-xr-x 1 root wheel 3793 Feb 29 19:54 nsldaps.pl
-r-xr-xr-x 1 root wheel 3860 Mar 1 01:45 nsldap.pl

With the nsumon-debug.pl script, the engineers set the argument provided in the LDAP Monitor Base DN, Bind DN, and password along with the LDAP IP address and port number.

root@NS7039# nsumon-debug.pl nsldap.pl 10.217.130.120 389 3 “base=cn=users,dc=company,dc=com;bdn=cn=admin,cn=users,dc=company,dc=com;password=xxxxx”
nsldap.pl syntax OK
0

root@NS# nsumon-debug.pl nsldaps.pl 10.217.130.120 636 3 “base=cn=users,dc=company,dc=com;bdn=cn=admin,cn=users,dc=company,dc=com;password=xxxxx”
nsldaps.pl syntax OK
0

The engineers used the following syntax when the LDAP argument had a filter or object:

root@NS7039# nsumon-debug.pl nsldap.pl 10.217.130.120 389 3 “base=cn=users,dc=company,dc=com;bdn=cn=admin,cn=users,dc=company,dc=com;password=xxxxx; filter=objectclass=*;attribute=objectclass”
nsldap.pl syntax OK
0

root@NS# nsumon-debug.pl nsldaps.pl 10.217.130.120 636 3 “base=cn=users,dc=company,dc=com;bdn=cn=admin,cn=users,dc=company,dc=com;password=xxxxx; filter=objectclass=*;attribute=objectclass”
nsldaps.pl syntax OK
0

The listed nsumon-debug.pl scripts were successful. If there were any failures, then the exit reason for nsumon-debug.pl output appears as follows:

root@NS93ncVPX# nsumon-debug.pl nsldaps.pl 10.217.130.120 636 3 ” base=cn=users,dc=company,dc=com;bdn=cn=admin,cn=users,dc=company,dc=com;password=xxxxx”
nsldaps.pl syntax OK
1,Failed to bind to server – Connection reset by peer

root@NS93ncVPX# nsumon-debug.pl nsldap.pl 10.217.130.120 389 3 ” base=cn=users,dc=company,dc=com;bdn=cn=admin,cn=users,dc=company,dc=com;password=xxxxx”
nsldap.pl syntax OK
1,Failed to bind to server – Connection reset by peer

The other error messages or exit reasons could include invalid argument, or broken pipe.

The engineers also verified if LDAP was configured for client authentication that is they verified the LDAP policy.

The engineers also verified if LDAP required any client certificate to connect.

By default, the nsldap.pl script uses only dase, bdn, and password as argument and does not use any certificate to connect to the LDAP. The nsldap.pl script uses the parameter provided as an argument. If the LDAP is expecting a certificate, then certificate must be passed as an argument to the script. Currently, the script does not support a custom argument.

Resolution

To resolve this issue the engineers created a USER monitor instead of LDAP monitor, as shown in the following screen shots:

The engineers bound the user monitor to the load balancing Service.