In this post we will demonstrate how to configure a highly available (HA) LDAP server to use with the VMware vRealize Orchestrator Server (vRO) Active Directory Plug-in.We will accomplish this task using F5 BIG-IP. This approach can also be used to achieve LDAP load balancing (LB) not only HA.
Lab Environment
The logical design of this lab can be seen HERE.
Problem
The [Configure Active Directory Server] workflow part of the vRO Active Directory Plug-in allows you to configure a single active directory (AD) host via IP or URL. For example:
Q: What if we want to connect to multiple AD domain controller (DC) servers to achieve high availability?
A: One for the ways is to create additional DNS records for those servers with the same name and use that name when running the WF to add the AD server. DNS will return, based on round robin, any of the given AD servers.
Q: Will this prevent me from hitting a DC server which is down or unreachable?
A: No. No health checks will be performed to determine of a server is down.
Q: How can i implement a health checking mechanism to determine if a given AD DC server is down, so that this is not returned to vRO?
A: By using F5 BIG-IP Virtual Server configured for LDAP request.
Q: How can I configure that in F5?
A: Check next chapter.
Solution
We can configure an F5 BIG-IP device to listen and satisfy LDAP request the same way we configured that for vIDM in an earlier post .
To learn more on how to configure F5 BIG-IP Virtual Server to listen and satisfy LDAP requests , visit the How to set vIDM (SSO) LDAP Site-Affinity for vRA and read the Method 2: Using F5 BIG-IP chapter.
In this case we will use the same F5 BIG-IP Virtual Server (VS) which we created for the vIDM server.
Login to vRO and navigate to the Workflows tab.
Navigate to Library > Microsoft > Active Directory > Configuration and start the [Configure Active Directory Server] workflow.
In the Active Directory Host IP/URL field provide the FQDN of the VS you created.
Fill in the rest of the input parameters as per your AD requirements.
Click Submit.
Go to the inventory tab. You should see the LDAP server added. You should be able to expand and explore the inventory objects coming from that plug-in.
Now in my case I have 2 LDAP servers lying behind the VS.
I will shutdown the first one and see if vRO will continue to work as expected.
Right Click the LDAP server and select Reload.
Expand again and explore the LDAP server inventory. It should work as there is still 1 LDAP server that can satisfy requests.
Now let’s check what happens if all we simulate failure of all LDAP servers.
Right Click the LDAP server and select Reload.
You should see an error as there are no more LDAP servers available to satisfy queries.
Additional Resources
My dear friend Oliver Leech wrote a blog post on a similar/related topic. Make sure to check it at
vRealize Orchestrator – connecting to more than one domain using the Active Directory plugin
Final Step
If all went well, go grab a beer.
include TEMPLATEPATH."/../../../itBlogDisclaimer.php"; ?>