LDAP failover configuration
LDAP failover configuration makes use of the Lightweight Directory Access Protocol (LDAP) standard method for accessing and updating information in a directory.
Directories are accessed with the client/server model of communication. Any server that implements LDAP is an LDAP server. The LDAP distributed architecture supports scalable directory services with server replication capabilities. Server replication improves the availability of a directory service.
Security Directory Server replication is based on a master-subordinate model. Sun Java™ System Directory Server replication is based on a supplier/consumer model, which Security Verify Access still treats as a master-subordinate or peer-to-peer relationship.
Security Verify Access treats
each AD LDS instance in a configuration set as a replica. The Access
Manager directory partition that contains the secAuthorityInfo
subtree
must be replicated to each of the AD LDS instances in the configuration
set. The default replication schedule for AD LDS is one time per hour.
This schedule can be changed, but the most frequent rate at which
AD LDS replicates is four times an hour. Updates to one instance in
a configuration set are not propagated for at least 15 minutes. Therefore,
when Security Verify Access is
used with AD LDS, configure one instance in the configuration set
to have a higher read/write preference than all other instances. This
way, updates are directed to the AD LDS instance with the highest
preference. No other instances are used as failover unless the preferred
instance is down.
For a generic LDAP server, the failover configuration depends on the specific LDAP server. The LDAP server recognizes the concept of master-subordinate, and Security Verify Access can use this replication support. For information about whether your LDAP server supports replication in this manner, see the documentation for your LDAP server.
The combination of a master server and multiple replicated servers helps to ensure that directory data is always available when needed. If any server fails, the directory service continues to be available from another replicated server. Security Verify Access supports this replication capability.