Home > Blogs > VMware Consulting Blog > Tag Archives: F5 BIG-IP

Tag Archives: F5 BIG-IP

How to Configure HA LDAP Server with the vRO Active Directory Plug-in Using F5 BIG-IP

By Spas Kaloferov

In this post we will demonstrate how to configure a highly availability (HA) LDAP server to use with the VMware vRealize Orchestrator Server (vRO) Active Directory Plug-in. We will accomplish this task using F5 BIG-IP, which can also be used to achieve LDAP load balancing.

The Problem

The Configure Active Directory Server workflow part of the vRO Active Directory Plug-in allows you to configure a single active directory (AD) host via IP or URL. For example:

SKaloferov_Configure Active Directory

Q: What if we want to connect to multiple AD domain controller (DC) servers to achieve high availability?
A: One way is to create additional DNS records for those servers with the same name, and use that name when running the workflow to add the AD server. DNS will return based on round robin, any of the given AD servers.

Q: Will this prevent me from hitting a DC server that is down or unreachable?
A: No, health checks are not performed to determine if a server is down.

Q: How can I implement a health checking mechanism to determine if a given active directory domain controller server is down, so that this is not returned to vRO?
A: By using F5 BIG-IP Virtual Server configured for LDAP request.

Q: How can I configure that in F5?
A: This is covered in the next chapter.

The Solution

We can configure an F5 BIG-IP device to listen for and satisfy LDAP requests in the same way we configured it for vIDM in an earlier post.

To learn more on how to configure F5 BIG-IP Virtual Server to listen for and satisfy LDAP requests, visit the “How to set vIDM (SSO) LDAP Site-Affinity for vRA“ blog, and read the Method 2: Using F5 BIG-IP chapter.

In this case we will use the same F5 BIG-IP Virtual Server (VS) we created for the vIDM server:

  1. Log in to vRO and navigate to the Workflows tab.
  2. Navigate to Library > Microsoft > Active Directory > Configuration and start the Configure Active Directory Server
  3. In the Active Directory Host IP/URL field provide the FQDN of the VS you created.
  4. Fill in the rest of the input parameters as per your AD requirements.
  5. Click Submit.

SKaloferov_Active Directory Server

Go to the Inventory tab; you should see that the LDAP server has been added, and you should be able to expand and explore the inventory objects coming from that plug-in.

SKaloferov_LDAP

Now, in my case, I have two LDAP servers lying behind the virtual server.

SKaloferov_F5 Standalone

I will shut the first one down and see if vRO will continue to work as expected.

SKaloferov_F5 Standalone Network Map

Right-click the LDAP server and select Reload.

SKaloferov_LDAP Reload

Expand again and explore the LDAP server inventory. Since there is still one LDAP server that can satisfy requests it should work.

Now let’s check to see what happens if we simulate a failure of all the LDAP servers.

SKaloferov_LDAP Pool

Right-click the LDAP server and select Reload.

You should see an error because there are no LDAP servers available to satisfy queries.

SKaloferov_Plugin Error

Additional resources

My dear friend Oliver Leach wrote a blog post on a similar/related topic. Make sure to check it out at: “vRealize Orchestrator – connecting to more than one domain using the Active Directory plugin.”


Spas Kaloferov is an acting Solutions Architect member of Professional Services Engineering (PSE) for the Software-Defined Datacenter (SDDC) – a part of the Global Technical & Professional Solutions (GTPS) team. Prior to VMware, Kaloferov focused on cloud computing solutions.