LDAP failover configuration

Edit online

LDAP failover configuration makes use of the Lightweight Directory Access Protocol (LDAP) standard method for accessing and updating information in a directory.

Directories are accessed with the client/server model of communication. Any server that implements LDAP is an LDAP server. The LDAP distributed architecture supports scalable directory services with server replication capabilities. Server replication improves the availability of a directory service.

Security Directory Server replication is based on a master-subordinate model. Sun Java™ System Directory Server replication is based on a supplier/consumer model, which Security Verify Access still treats as a master-subordinate or peer-to-peer relationship.

Active Directory Lightweight Directory Service (AD LDS) replication is based on membership in a configuration set, which is a group of AD LDS instances that share and replicate a common configuration partition and schema partition. AD LDS uses a multi-master form of replication, which means that any instance in the configuration set is writable and propagates the changes to all other instances in the configuration set.

Note: AD LDS instances cannot replicate with Active Directory. They replicate on a schedule that is independent of the Active Directory replication schedule, even when AD LDS is running in an Active Directory domain.

Security Verify Access treats each AD LDS instance in a configuration set as a replica. The Access Manager directory partition that contains the secAuthorityInfo subtree must be replicated to each of the AD LDS instances in the configuration set. The default replication schedule for AD LDS is one time per hour. This schedule can be changed, but the most frequent rate at which AD LDS replicates is four times an hour. Updates to one instance in a configuration set are not propagated for at least 15 minutes. Therefore, when Security Verify Access is used with AD LDS, configure one instance in the configuration set to have a higher read/write preference than all other instances. This way, updates are directed to the AD LDS instance with the highest preference. No other instances are used as failover unless the preferred instance is down.

For information about setting the AD LDS replication schedule, see the IBM Security Verify Access for Web: Installation Guide. To set preference values, see Preference values for replica LDAP servers.

Note: For SSL, ensure that the same certificate authority issues the AD LDS certificate for each instance in the configuration set. This way, Security Verify Access can validate the AD LDS certificate from each instance. If the AD LDS instances in the configuration set are on the same system, the instances can share the certificate.

For a generic LDAP server, the failover configuration depends on the specific LDAP server. The LDAP server recognizes the concept of master-subordinate, and Security Verify Access can use this replication support. For information about whether your LDAP server supports replication in this manner, see the documentation for your LDAP server.

The combination of a master server and multiple replicated servers helps to ensure that directory data is always available when needed. If any server fails, the directory service continues to be available from another replicated server. Security Verify Access supports this replication capability.