Jump to content
Welcome to our new Citrix community!

Not able to connect LDAP when GSLB comes into Picture. But Able to connect it when directly accessing LB VIP.


Recommended Posts

Hi All,

 

Hope you all are doing good!

 

I have set up LDAPS  load balancing on Netscaler version 11.1.x.x. It works fine when I point the DNS name ldaps.company.com directly to the VIP. Then I created a DNS c-name record for it as ldaps.gslb.company.com as I wanted to enable GSLB . Here ldaps fails. When I point directly to each netscaler VIP’s it works but via a c-name it fails. I need the c-name as it points to the record to the other netscalers in the internal DNS servers for resolution. Any idea?

 

Regards,

Shekhars

Link to comment
Share on other sites

Hi Shekhars,

 

Is your DNS c-name record using the same SSL cert as your VIP? I have seen the slimier issue but not with GSLB.

 

In my case

One of my customer want to use LDAPS  with Netscaler LB VIP (DNS name) it was fine using the SSL certificate but when the customer tried to direct point of domain.local it doesn't work it turn out the ssl certificate issue. 

 

Thanks 

Manoj

 

Link to comment
Share on other sites

Hi Shekhars,

 

As I suggested can you create a GSLB CNAME as per as match with your LB VIP and retest.

 

Where did you create the DNS c-name record for it as ldaps.gslb.company.com at the same place can you create another c-name which will match to your LB cert.

Thanks 

Manoj

 

Link to comment
Share on other sites

  • 1 year later...

Were you able to find a solution to this?  I am having the same issue with some systems.  I've tested a netscaler pointed to a LDAPS VIP (SSL_TCP) with the an A record testldap.company.com and it authenticates correctly.  I changed the record to a C-Name record testldap.gslb.uwhealth.org and netscaler continues to work and works appropriately if I disable services to force the traffic to one datacenter or the other.  The backend servers on the VIP are Windows domain servers.

 

However, I have some systems that broke when I moved the record to a C-Name.  As far as I can tell they are Windows servers.  I don't believe the certificate for testldap.gslb.company.com needs to be added to the VIP cert because none of my other SSL offloaded VIP's have that requirement for the cname entry.  I do realize LDAPS is a different protocol than standard SSL, so maybe the requirements are different with LDAPS?  

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...