This article describes how to configure an LDAP monitor on Citrix ADC.

Instructions

It is a best practice to reduce the returned values to a small number (ideally only 1). For Active Directory LDAP systems the filter can be set to cn=Builtin or some similar filter string that returns minimal results. For example, use cn=Bob* as a filter to return all LDAP entries that have a CN that starts with Bob. However, a better filter is one that returns fewer entries, but is not likely to be removed for any reason. If a probe is returning too many entries, a trace of the results can indicate what entries might be good options. However, avoid using filters with parentheses, as they can confuse the issue and can result is a failed probe.

Below are the configurations for the same,

add lb monitor ldap-monitor LDAP -scriptName nsldap.pl -dispatcherIP 127.0.0.1 -dispatcherPort 3013 -deviation 0 SEC -interval 5 SEC -resptimeout 2 SEC -resptimeoutThresh 0 -retries 3 -failureRetries 0 -alertRetries 0 -successRetries 1 -downTime 30 SEC -IPMapping 0.0.0.0 -destPort 0 -state ENABLED -reverse NO -transparent NO -ipTunnel NO -tos NO -secure NO -baseDN "dc=example,dc=com" -bindDN "uid=test,dc=example,dc=com" -filter cn=Builtin

Background

An LDAP monitor probe is defined and is timing out with the normal parameters. No filter is defined to reduce the result. You might see the service with the following LDAP monitor reporting:

State: UNKNOWN
Probes: 1 Failed [Total: 1 Current: 1]
Last Response: Failure – Probe failed.
Response Time:2000.0 millisec

Related article for LDAP config: https://support.citrix.com/article/CTX212422/how-to-configure-netscaler-to-use-active-directory-authentication-and-privileges