How to load balance LDAP queries from CPPM.
You may configure domain name in Active directory authentication source instead of a specific domain controller. With this, whenever ClearPass does a DNS lookup for the domain name, DNS server will return the available domain controllers and it will be used by ClearPass for ldap lookup.
1. Login to ClearPass Policy Manager as a Super administrator.
2. Navigate to Configuration --> Authentication --> Sources --> Click Add to create a new Active directory source.
3. In the hostname field, specify Domain name instead of a specific domain controller.
4. Configure Bind DN and its password and ensure that ClearPass is able to lookup the AD objects using Search base DN and save the configuration.
Below screenshot shows that hostname is configured with the domain name - nsblr.in and we were able to search the AD objects using Search base DN.
To verify the available domain controllers for the domain, we can use the below command from the SSH using appadmin Login.
network nslookup -q srv <Host or domain to be queried>
The below screenshot shows that there are two available domain controllers for the domain nsblr.in. They are:
1. NSLABDC1.nsblr.in with IP = 10.17.164.22
2. win-k6b7u4epbei.nsblr.in with IP = 10.17.164.15
Network Ping individual FQDN DCs shows their IP addresses:
In this instance, Network ping domain name - nsblr.in shows the response is from the first domain controller(NSLABDC1.NSBLR.IN)
In the second instance, Network ping domain name - nsblr.in shows the response is from the second domain controller(win-k6b7u4epbei.nsblr.in)
With this configuration, we need to make sure all the domain controllers are in sync with each other. If there is any delay in sync between Domain controllers that Clearpass is using for ldap lookups, then it may result in incorrect role mapping/enforcement profiles, especially if they are designed based on AD user/computer attributes.