Jump to content
Welcome to our new Citrix community!

How to load-ballancing ldap with starttls


Recommended Posts



i have to implement a ldap load-ballancer with starttls. (389 with Starttls, not 636 SSL)

Is it possible?

389 with plaintext works:

 add lb vserver lbsrvldap TCP

 add serviceGroup svcgrpldap TCP -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -cltTimeout 9000 -svrTimeout 9000

 bind serviceGroup svcgrpldap.

bind serviceGroup svcgrpldap xxx 389



636 with SSL works:

 add lb vserver lb_srv_ldap-ssl SSL_TCP

 add serviceGroup svcgrp_ldaps SSL_TCP

 add ssl certKey wildcard -cert wildcard.pfx

bind ssl vserver lb_srv_ldap-ssl -certkeyName wildcard

bind serviceGroup svcgrp_ldaps xxx 636



Do you know?


Link to comment
Share on other sites

  • 2 weeks later...

Your config should be fine, but tried the same an after some debugging we indentifiedcertificate problems we cloud not solve:


we use the DNS-name ldap.ourdomain.de, pointing to our ldap-vServer on the Netscaler.

-> fine with unencrypted LDAP (389)

-> fine with LDAPS (636) an d a trusted certificate with the right CN on the Netscaler vServer

-> fails with LDAP-STARTTS (389) on  the same vServer as the unencrypted LDAP


I belive the problem is the certificate used by our domain cointrollers, they use dc01.dourdomain.de, dc02.dourdomain.de as CN. And if now STARTTLS tries to connect to ldap.dourdomain.de it is loadbalanced to one of the domain controller presenting theier own certificate. Now we have a mismatch between CN und URL. Thats where I think the connection fails and I got no idea how fix this.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...