Cisco ACE Loadbalancing and LDAPS

Unanswered Question
Dec 13th, 2011
User Badges:

Could anyone put me in the direction of a configuration document or advice on configuring load balancing with LDAP secure port. Ive read various articles about LDAPS not being supported on the ACE, is this correct?

I have partially configured this but have nat issues at the moment as its in one arm mode and this VLAN does not have any NAT configured. I have no configuration for the SSL termination and not quite sure how that will work either.

Any advice would be appreciated.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Daniel Arrondo Ostiz Tue, 12/13/2011 - 03:21
User Badges:
  • Cisco Employee,

Hi Cassandra,

LDAP is not supported in ACE as a L7 protocol, but that doesn't mean you cannot load-balance it, it's simply that you cannot apply any kind of L7 inspection and forget also about the SSL termination. If you configure it for pure L4 load-balancing, it should be just like any other protocol.

If you are using one armed, you must find a way to send the return traffic through the ACE. This is normally done with the use of NAT, but, you may also use other methods such as policy-based routing. Be aware that unless this return traffic goes through the ACE, connections will not work, so there is no point in testing the application until this is fixed.

I hope this helps


svenkateshv Tue, 08/12/2014 - 07:33
User Badges:

you can L4 loadbalancing for LDAP over SSL,

Something like:


ssl-proxy service sfLDAP_SSL-Proxy

key LDAP-KEY-1024.pem

cert LDAPS.FOO.COM.pem


serverfarm host LDAP-SF

predictor leastconns

rserver rs1 389


rserver rs2 389



class-map match-any LDAPS-VIP

2 match virtual-address  tcp eq 636


policy-map type loadbalance first-match LDAP-L4-Policy

class class-default

   serverfarm LDAP-SF


policy-map multi-match LDAP-MM


   loadbalance vip inservice

   loadbalance policy LDAP-L4-POLICY

   ssl-proxy server LDAP-SSL-PROXY


This Discussion