search cancel

LDAP clustering for LDAP identity provider is not working as expected

book

Article ID: 201221

calendar_today

Updated On:

Products

CA API Gateway API SECURITY CA API Gateway Precision API Monitoring Module for API Gateway (Layer 7) CA API Gateway Enterprise Service Manager (Layer 7) STARTER PACK-7 CA Microgateway

Issue/Introduction

Background of issue:

There are 4 ldap servers in the ldap cluster, but when one of the node is down, the gateway has got more than 80% errors, not the expected 25%.

The ldap identity provider is configured 2 ldap urls pointing to the load balancer of the cluster with different ports.

 

Cause

The ldap url is configured to use the hostname of the load balancer of the ldap cluster.

When the ldap connection is fail, the gateway will put the ldap url in the black list for a minute by default, then the whole cluster is not available during that period(not just one node).

For multiple ldap urls, the gateway will try to use the first available ldap url, and keep using it until it fails, then put it in black list and try next ldap url.

Environment

Release : 9.0

Component : API GTW ENTERPRISE MANAGER

Resolution

  • The best solution is, the load balancer should be properly configured and only route the requests to the available nodes in the cluster.
  • On the gateway side, the cluster wide property ldap.reconnect.timeout is for the blacklist duration, set it to 0 can disable the blacklist. The cluster property can be overwritten by the "Reconnect Timeout" on the ldap wizard

Additional Information

https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/10-0/reference/gateway-cluster-properties/ldap-cluster-properties.html

https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/10-0/security-configuration-in-policy-manager/identity-providers/ldap-identity-providers/simple-ldap-identity-provider-wizard.html