0

I have created a load balancer in the cloud with backend servers running FreeIPA.
When I try to run:

$ ldapsearch -x -H ldap:<IP-ADDRESS> -b "dc=example,dc=com
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

However, it's possible to contact each of the server:

$ ldapsearch -x -H ldap:<NODE1-ADDRESS> -b "dc=example,dc=com
# extended LDIF
#
# LDAPv3
...

$ ldapsearch -x -H ldap:<NODE2-ADDRESS> -b "dc=example,dc=com
# extended LDIF
#
# LDAPv3
...

In theory, shouldn't I be able to run the command ldapsearch -x -H ldap:<IP-ADDRESS> -b "dc=example,dc=com?

EDIT: What LB configuration has been done from my side
The servers and the load balancer can be found in the same subnet

Security Rules (Traffic allowed) Ingress: 22, 53, 80, 88, 389, 636, 443 Egress: All

Backend/Backend sets:

  • Server: Node1 Port: 389
  • Server: Node2 Port: 389
  • Server: Node1 Port: 636
  • Server: Node2 Port: 636

Listeners

  • Server: Node1 Port: 389
  • Server: Node2 Port: 389
  • Server: Node1 Port: 636
  • Server: Node2 Port: 636

Health checks:

  • Health checking TCP port 389/636.
N. J
  • 131
  • 5
  • 1
    That error suggests that your load balancer is not configured with (correct) rules to accept incoming LDAP traffic and load balance it correctly AND/OR your load balancing method may require on additional configuration of the back-end servers – HBruijn Jun 13 '23 at 13:14
  • Thanks @HBrujin. The load balancer accepts the same incoming traffic as the two nodes. I've open both ldap and ldaps using protocol TCP. – N. J Jun 13 '23 at 13:28
  • And yet when contacting your *"load balancer in the cloud"* you get a `Can't contact LDAP server` error message. From our side of the question we can't see what you're doing right, doing wrong or missing. Please add sufficient details: What load balancing mechanism did you configure for the LDAP traffic/port(s) , what rules, is there a (successful) health check involved for the back end servers etc. etc. etc. Just opening port 389 on a loadbalancer does not make it load balance LDAP traffic. (which is what your comment suggests as the only thing you did.) – HBruijn Jun 13 '23 at 13:37
  • So... There's security rules that allow ingress traffic to port 389/636 etc. I've created healthchecks to the backends servers specifically on the LDAP/LDAPS ports, which reports back "Healthy". However, I'm still you're right from your first commen, since I tried to make a similar backend/backend set for SSH connection (just for test), which doesn't seem to work, either. – N. J Jun 13 '23 at 13:52
  • Depending on the load balancer, in addition to a back-end you also need a front end / listener / ingress definition on the load balancer and link the LDAP port(s) on the load balancer to those back-ends – HBruijn Jun 13 '23 at 13:58
  • @HBruijn, I appreciate your comments. I'll go back to the drawing board to see what I did wrong. This is a NLB in OCI. – N. J Jun 13 '23 at 14:16
  • @HBruijn, I tried to create a new similar network load balancer turning off the option: `is_preserve_source_destination`, meaning setting it to `false`. I was then able to access my backends. Any reason for this? – N. J Jun 21 '23 at 10:58

0 Answers0