The Proxy server

The Proxy server is a special type of IBM® Tivoli® Directory Server that provides request routing, load balancing, fail over, distributed authentication and support for distributed/membership groups and partitioning of containers. Most of these functions are provided in a new backend, the proxy backend. IBM Tivoli Directory Proxy Server does not have an RDBM backend and cannot take part in replication.

A directory proxy server sits at the front-end of a distributed directory and provides efficient routing of user requests thereby improving performance in certain situations, and providing a unified directory view to the client. It can also be used at the front-end of a server cluster for providing fail over and load balancing.

The proxy server routes read and write requests differently based on the configuration. Write requests for a single partition are directed to the single primary write server. Peer servers are not used to avoid conflicts. Read requests are routed in a round robin manner to balance the load. However, if high consistency is enabled read requests are routed to the primary write server.

The proxy server also provides support for ACL's to be defined based on groups defined on a different partition, and support for partitioning of flat namespaces. The proxy server can also be used as an LDAP-aware load balancer.

The proxy server is configured with connection information to connect to each of the backend servers for which it is proxying. The connection information comprises of host address, port number, bind DN, credentials and a connection pool size. Each of the back-end servers is configured with the DN and credentials that the proxy server uses to connect to it. The DN must be a member of the global admin group, local admin group with dirData authority, or the primary administrator.

If you specify an administrative control for any operation on proxy, the proxy server will propagate the administrative control to the backend server.

The proxy server routes new requests targeting a backend server only through a free backend connection. If there are no free backend connections available, Proxy will temporarily suspend reading requests from clients. Proxy will resume reading from clients only when the backend connection becomes free. Also, if there are pending requests from a client to a backend, any new request from the client will be routed through the same backend connection used by earlier requests.

The ibm-slapdProxyMaxPendingOpsPerClient attribute included in the ibm-slapdProxyBackendServer objectclass can be used to configure the threshold limit for pending requests from a client connection in a backend connection. On reaching this threshold limit, requests from the client connection will not be read until the pending requests in the backend connection reduces to a value below the specified threshold limit. If this attribute is not specified, the maximum pending client operations will default to 5.

Finally, the proxy server is configured with its own schema. You need to ensure that the proxy server is configured with the same schema as the back-end servers for which it is proxying. The proxy server must also be configured with partition information.

The server uses the same default configuration file whether it is configured as a directory server or a proxy server. However, when the server is configured as a proxy server, the configuration settings for the features that the proxy server does not support are ignored. Given below is a list of entries in the configuration file that are ignored by the proxy server:

cn=Event Notification, cn=Configuration
cn=Persistent Search, cn=Configuration
cn=RDBM Backends, cn=IBM Directory, cn=Schemas, cn=Configuration
cn=Replication, cn=configuration
cn=Bulkload, cn=Log Management, cn=Configuration
cn=DB2CLI, cn=Log Management, cn=Configuration

For the entry “cn=Front End, cn=configuration", environment variables set under this entry will be supported by proxy. The environment variables supported by the proxy server include the following:

Table 21. Environment variables supported by proxy server
Variable	Description
PROXY_CACHE_GAG_PW	Specifies if password caching is enabled or disabled. The proxy server has the ability to locally cache the passwords of global administrators. If password policy is enabled, caching of the Global Admin Group Member passwords is disabled. If password policy is disabled, the caching of Global Admin Group Members is enabled. PROXY_CACHE_GAG_PW environment variable can override this default behavior. PROXY_CACHE_GAG_PW set to YES will enable password caching. PROXY_CACHE_GAG_PW set to any other value will disable password caching. When the env variable is unset the default behavior is governed by the password policy setting.
PROXY_GLOBAL_GROUP_PERIOD	Specifies the interval after which the proxy interval thread wakes up. The default value for this variable is 30 seconds.
PROXY_USE_SINGLE_SENDER	Specifies if a single sender thread is used for the operations. By default this is false.
PROXY_RECONNECT_TIME	Specifes the interval after which the proxy tries to reconnect to a backend server that has gone down. By default this is 5 seconds.
LDAP_LIB_WRITE_TIMEOUT	Specifies the time (in seconds) to wait for a socket to be write ready
FLOW_CONTROL_SLEEP_TIME	In Flow control, when there are no free backend connections available, the proxy server temporarily suspends reading from socket. It then checks periodically to see if there is a free backend connection that became available. The frequency with which this check is done is determined by the environment variable "FLOW_CONTROL_SLEEP_TIME". This must be set to an integer value and will specify in milliseconds the frequency with which the check is done by the proxy. If the environment variable is not set, it defaults to 5.

The proxy server supports some features of Tivoli Directory Server while at the same time there are some features that are not supported by proxy. The list of features that are supported by the proxy server are given below:

Log access extended operations.
Dynamic configuration of the supported attributes
Server start stop
TLS
Unbind of a bound dn
Dynamic trace
Attribute type extended operation
User type extended operation
Auditing of source ip control
Server administration control
Entry check sum
Entry uuid
Filter acls
Admin group delegation
Denial of service prevention
Admin server auditing
Dynamic groups
Monitor operation counts
Monitor logging counts
Connection monitor active workers
Monitor tracing
SSL Fips mode
Modify dn as long as the entry rename does not move the entry across partitions.
Multiple instances
AES password encryption
Admin password policy
Locate entry extended operation
Resume role extended operation
ldap get file
Limit number of attribute values
Audit performance - Performance auditing is supported for proxy. The following performance info fields for each audit record are valid for proxy. The RDBM lock wait time will always be 0 for a proxy server:
- Operation response time
- Time spent on work Q
- Client I/O time
Digest MD-5 Binds
Admin roles
Preoperation plugins
Global Admin Group
Paged and Sorted Searches
ibm-allmembers search
Transactions
Note:

Transactions are supported but only if all the entries that are part of the transaction request reside on a single directory server.

The list of features not supported by the proxy server are given below:

Event notification
Replication management extended operations
Group evaluation extended operation
Account Status extended operation
Subtree delete
Proxy authorization control
Group authorization control
Omit group Referential integrity
Unique Attributes
Effective password policy
Online backup extended operation
Password prebind extended operation
Password post bind extended operation
Post Operation plugins
Null based search