LDAP Stores :: Failover

book

Article ID: 49848

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

 

We'd like to know how does the Failover functionality on the Policy
Server for the LDAP Stores?

 

Environment

 

Policy Server all versions

 

Resolution

 

Failover:

The Connection Manager maintains the status of the directory instances
using a dedicated "Ping Server threads". The Ping Server thread
periodically checks the health status of each directory every 30
seconds. It validates the connection by doing an ldap search as :

Search Filter is objectclass=*

With each search, the Ping Server thread waits a default maximum of
ten (10) seconds.

You can configure this in the User Directory Definition. In the user
directory Definition you have Max Time. By default the value of Max
Time is 30 and this defines how long Policy Serer should wait for a
response from the directory server.

If the Ping Server search fails or times out, the Connection Manager
connection, the other Dir connection and User connection are all
considered failed. The directory instance is then considered bad and
the connections are moved out from the list of available connections
and Policy Server will failover to the next Policy Store.

If a Thread Pool thread detects a failure on the Dir or User
connection it is using, the Dir and User connections are made
unavailable. The Policy Server process then immediately runs the Ping
Server on the given bank or directory as just described above. If the
Ping Server finds the instance responsive the failed Dir and User
connections are replaced. If the Ping Server confirms the directory
instance failure or unreachable, that directory instance and any other
failed instance in the bank or directory is marked bad.

Failback:

Ping thread keeps checking the health of the LDAP Servers every 30
Seconds and when it detects the LDAP server is up then Policy Server
will failback to the primary LDAP server.

Note that there is no Load Balance capability for LDAP Policy
Stores. But you can configure LDAP User Stores for Load Balance.

For LDAP Policy Stores, if you have two entries in the Policy Store
tab the Policy Server will use only one. If it fails then the other
entry is used and Policy Server fails back as soon as the first one is
back up.

For each entry there will be one bank and each bank will have a user,
dir and ping search connection.

The dir connection will be used to update the Policy Store. This
connection is for both LDAP search and LDAP update.