To get to the LDAP Configuration screen, expand Certificates & Security and click LDAP Configuration. This screen provides a management interface for LDAP endpoints. These LDAP endpoints may be used in three different areas:

  • Health checks
  • SSO domains
  • WUI authentication

Any existing LDAP Endpoints are listed here, with an option to Modify and Delete. If an LDAP endpoint is in use, it cannot be deleted.

There is also an option to add a new LDAP endpoint. Type a name for the endpoint and click Add. Spaces and special characters are not permitted in the LDAP endpoint name.

LDAP Server(s)

Specify a space-separated list of LDAP servers to be used. For windows Admin Controller (AC)/Domain Controller (DC), the scope of access for multiple domains and Permitted Groups is set to universal. Port numbers can also be specified if required. If you have multiple domains and are using Permitted Groups, sometimes it is necessary to include the Global Catalog port number, otherwise the Permitted Groups will fail. The default port is 3268. For example, 10.110.20.23:3268.

The LoadMaster uses OCSP to check the validity of the server certificates supplied by configured LDAPS servers. If these checks fail, connections to the server are not permitted.

LDAP Protocol

Select the transport protocol to use when communicating with the LDAP server.

Note: If you create an SSO domain with the Authentication Protocol set to Certificates, ensure to set the LDAP Protocol to LDAPS in the LDAP endpoint.

Validation Interval

Specify how often you should revalidate the user with the LDAP server.

Referral Count

The LoadMaster offers beta functionality to support LDAP referral replies from Active Directory Domain Controllers. If this is set to 0, referral support is not enabled. Set this field to a value between 1 and 10 to enable referral chasing. The number specified will limit the number of hops (referrals chased).

Note: Multiple hops may increase authentication latency. There is a performance impact that depends on the number and depth of referrals required in your configuration.
Note: You must have intimate knowledge of your Active Directory structure to set the referral limit appropriately. The same credentials are used for all lookups, and so on.
Note: The use of Active Directory Global Catalog (GC) is the preferred configuration as the primary means of resolution instead of enabling LDAP referral chasing. A GC query can be used to query the GC cache instead of relying on LDAP and the referral process. Using Active Directory GC has little or no performance drag on the LoadMaster. For steps on how to add/remove the GC, refer to the following TechNet article: https://technet.microsoft.com/en-us/library/cc755257(v=ws.11).aspx

Server Timeout

Specify the LDAP server timeout in seconds. The default value is 5. Valid values range from 5 to 60.

Admin User

Type the username of an administrator user.

Admin User Password

Type the password for the specified administrator user.