LDAP Stores Failover
search cancel

LDAP Stores Failover

book

Article ID: 49848

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

How does the Failover functionality on the Policy Server for the LDAP Stores?

 

Environment

Policy Server all versions

 

Resolution

Failover

The Connection Manager maintains the status of the directory instances using a dedicated "Ping Server threads". The Ping Server thread periodically checks the health status of each directory every 30 seconds. It validates the connection by doing an ldap search as: Search Filter is objectclass=*

With each search, the Ping Server thread waits a default maximum of ten (10) seconds.

You can configure this in the User Directory Definition. In the user directory Definition you have Max Time. By default the value of Max Time is 30 and this defines how long Policy Serer should wait for a
response from the directory server.

If the Ping Server search fails or times out, the Connection Manager connection, the other Dir connection and User connection are all considered failed. The directory instance is then considered bad and
the connections are moved out from the list of available connections and Policy Server will failover to the next Policy Store.

If a Thread Pool thread detects a failure on the Dir or User connection it is using, the Dir and User connections are made unavailable. The Policy Server process then immediately runs the Ping Server on the given bank or directory as just described above. If the Ping Server finds the instance responsive the failed Dir and User connections are replaced. If the Ping Server confirms the directory instance failure or unreachable, that directory instance and any other failed instance in the bank or directory is marked bad.


Failback

Ping thread keeps checking the health of the LDAP Servers every 30 Seconds and when it detects the LDAP server is up then Policy Server will failback to the primary LDAP server.

(Note: There is no Load Balance capability for LDAP Policy Stores. But you can configure LDAP User Stores for Load Balance)

For LDAP Policy Stores, if you have two entries in the Policy Store tab the Policy Server will use only one. If it fails then the other entry is used and Policy Server fails back as soon as the first one is
back up.

For each entry there will be one bank and each bank will have a user, dir and ping search connection.

The dir connection will be used to update the Policy Store. This connection is for both LDAP search and LDAP update.

Powered by Wolken Software