LDAP (Lightweight Directory Access Protocol) is a protocol to access directory services such as Microsoft’s Active Directory. Especially within enterprise environments, LDAP is typically encrypted to avoid the exposition of sensible data such as passwords to eavesdroppers. E.g., there is a Microsoft policy that even dictates inbound LDAP to be encrypted if it contains a password request.

LDAP is very well suited for high-throughput load-balanced with Citrix NetScaler. Sessions map to TCP connections making stickiness unnecessary. Also, NetScaler provides an LDAP monitor that does an arbitrary bind and search in the directory. For encrypted SSL, LDAP on NetScaler can take advantage of all combinations of SSL_TCP and TCP or SSL_BRIDGE providing ways for encryption offload in each direction.

Implementing secure LDAP ( typically SSL_TCP or SSL_BRIDGE to port 636 ) with reasonable monitoring is often done using a combination of a tcps monitor and an ldap monitor directed to port 389. The former checks if the port is available and can perform an SSL handshake and the latter does the LDAP search. While effective it would certainly be nicer to use a monitor that is by itself capable of sending an LDAP request through an SSL tunnel. This can be achieved by creating a copy of the LDAP monitor and doing some small modifications.

Recipe

  1. To get the secure ldap monitor, get yourself a copy of /nsconfig/monitors/nsldap.pl and save it under nsldaps.pl
  2. Search and replace Net::LDAP with Net::LDAPS (occurs twice)
  3. Search and replace ldap_probe( with ldaps_probe( (occurs twice)
  4. Copy the resulting file back to /nsconfig/monitors on all the NetScaler’s

(For all modifications, I recommend an editor capable of handling UNIX newlines such as vi, emacs or notepad++.)

That’s it. The monitor behaves just like the ldap monitor with the exception to call nsldaps.pl instead of nsldap.pl.

Hope you find this useful. If you have challenges similar to this or if you’re just looking for a best practice check of your environment, Citrix Consulting will gladly engage with you.