Secure LDAP Monitor Does Not Work on NetScaler

Secure LDAP Monitor Does Not Work on NetScaler

book

Article ID: CTX117943

calendar_today

Updated On:

Description

When setting up a Secure LDAP monitor, the nsumond and nsmonitor dispatch process does not run the Perl script. The service monitor counters continue to increment and ultimately the status of the service is marked as DOWN.

Resolution

To resolve this issue, complete the following procedure to create an nsldaps.pl script, create a Secure LDAP monitor, and bind the existing LDAP services.

  1. Log on to the NetScaler appliance by using an SSH utility.

  2. Run the following command to switch to the FreeBSD shell:
    > shell

  3. Run the following command to make a copy of the /nsconfig/monitors/nsldap.pl file:
    # cp /nsconfig/monitors/nsldap.pl /nsconfig/monitors/nsldaps.pl

  4. Change to the /nsconfig/monitors/ directory.

  5. Open the nsldaps.pl file in a text editor, such as the vi editor.

  6. Search the following entry in the file:
    > my $ldap=Net::LDAP->new($_[0].":".$_[1],Timeout=>2)

  7. Replace the entry with the following entry:
    > my $ldap=Net::LDAP->new($_[0].":".$_[1],scheme=>'ldaps',Timeout=>2)

  8. Save and close the file.

  9. Run the following command to ensure that the nsldaps.pl file has the execute permission, especially if you have edited the file on a different host and then re-uploaded it to the NetScaler appliance:
    # chmod a+x /nsconfig/monitors/nsldaps.pl

  10. Run the following command to switch to the command line interface of the appliance:
    # exit

  11. Run the following command to create a monitor of LDAP type, which refers the new nsldaps.pl script. Enter values for the necessary parameters, such as BaseDN, BindDN, and password, and modify the IP address and port number, as necessary. Ensure that you do not use the "-secure" option in the command.
    > add lb monitor <Monitor_Name> LDAP -scriptName nsldaps.pl -dispatcherIP 127.0.0.1 -dispatcherPort 3013 -password <Password> -encrypted -LRTM ENABLED -baseDN cn=users,dc=company,dc=com -bindDN uid=admin, cn=users,dc=company,dc=com

    The following screen shot displays the Create Monitor dialog box with the corresponding values in the various fields, as used in the preceding command:

    User-added image

  12. Run the following command to bind the monitor to the existing LDAP service, such as ldap_test_svc:
    >bind lb monitor <Monitor_Name> ldap_test_svc

    The following screen shot displays the corresponding dialog box in the GUI of the appliance:

    User-added image

Problem Cause

On a NetScaler appliance, if GUI is used to enable the Secure option to check for the LDAP monitor or set the -secure option by using the NetScaler command line interface, the setting prevents the Perl script from running by the dispatchers, such as nsumond and nsmonitor. By enabling the Secure option, you request the communication between the NetScaler appliance and an external dispatcher to be encrypted and not a secure LDAP communication.

Issue/Introduction

When setting up a Secure LDAP monitor, the nsumond and nsmonitor dispatch process does not run the Perl script. The service monitor counters continue to increment and ultimately the status of the service is marked as DOWN.

Additional Information

CTX114335 - How to Configure an LDAP Monitor

Powered by Wolken Software