Hi there,

I am facing a problem want to need your help.

My topology is below:

AD ==> FIM == BIG-IP (Load balancing)==> AD LDS

- Connection from FIM to BIG-IP is encrypted with SSL (using port 636). And from FIM, I can retrieve AD LDS object information

- BIG-IP to AD LDS is not encrypted (using port 389).

I'm using Metaverse Rule to provision and sync user from AD to AD LDS. Import from AD to Metaverse works normally and see the provision will be run with MA Export to AD LDS

When I run Export User to AD LDS, the data is pushed into connector space successfully but cannot create user on AD LDS.

The error is Illegal modify operation. Some aspect of the modification is not permitted.

Hope anyone can help.

I do some google search and got the link here https://lainrobertson.wordpress.com/2011/03/03/ad-lds-ssl-woes/

But it is not look like exactly the issue I am facing..

Is anything at all going to LDS, seems that the user you are using in AD LDS connector does not have the needed permissions in LDS.  I don't think this is BIG-IP issues at all.

Thanks for your reply.

Actually I did try to point directly MA to AD LDS using 389 and it works.. so the problem should be from BIG-IP?

I see.  So what is BIG-IP doing, exactly. Is it only a proxy, load balancer or what?  It may be  that the session in BIG-IP is not persistent and it is not keeping the connection live during the whole process, which it should. 

I don't have much experience in configuring BIG-IP. As far as I know, it is a load balancer. Because we have few AD LDS Servers with the database replicated. 

I need to check more with network team to get more information. But do we have any way to detect or prove that more clearly.. appreciated if you have any suggestion for that

I am sorry, this is not one of my strongest skills either. I don't want to waste your time with guessing.

Hi Duc, it sounds like there's something wrong with the object you are attempting to export to your AD LDS connected directory. Are you constructing DNs correctly in your provisioning code? Also, are you setting the object class hierarchy correctly in your provisioning code?

Cheers,

Hi Thomas,

Duc claims that it works fine if not going through BIG-IP. basically not a FIM issue.

Well spotted Nosh, I missed that post! Duc, when you configured the AD LDS MA to bypass the load balancer, did you use LDAP (389) or LDAPS (636)? Are you attempting to export an attribute value that can only be set over a secure channel?

Thomas,

He has answered that to0 "- BIG-IP to AD LDS is not encrypted (using port 389)."

:)

I think he simply needs to get away from Big-Ip and go directly against LDS server.

Thanks Nosh for your support.

Currently I only have one AD LDS and going to try to build another one this weekend.. but wonder that if we get away from Big-IP so if one AD LDS goes down then we modify the MA to connect to the rest one.. is that possible to maintain the connection to users we just synced before. Such as.. is that possible to update attributes of users that we did synced?

Thanks.

If your networking people are unable to setup the Load Balancer to work with LDS, there are some facts to consider.

1. How many times a day you run the FIM Jobs? How often you need the data to be synched with LDS?

2. If the LDS server is indeed down, you can always change the server name on the LDS MA.  Not ideal, but possible.

I have done this before and I know it works, but I cannot really help you setting up the load balancer. That is a Networking Function.  I believe you should also be able to use Windows NLB for LDS servers.

Today I just installed a new AD LDS (replicate from the old one) and using NLB and it works perfectly. I will try to convince my client using that way.

Thanks a lot.