Previous Topic: Configure an Oracle User Directory Connection Over SSLNext Topic: Configure ODBC Data Source Failover

Policy Server GuidesPolicy Server Configuration GuideUser DirectoriesLDAP Load Balancing and Failover

LDAP Load Balancing and Failover

To enable failover and load balancing, the Policy Server can spread LDAP queries over multiple LDAP servers. The Policy Server uses one LDAP server to fulfill requests until that server fails to respond. When the default server does not respond, the Policy Server routes the request to the next server specified for failover. This process can be repeated over multiple servers. Once the default server is able to fulfill requests again, the Policy Server routes requests to the original server.

If configured for load balancing, the Policy Server spreads requests over the specified LDAP servers. Load balancing provides faster, more efficient access to LDAP user directory information, with the added benefit of redundancy in the event of a server failure.

Port Number Considerations

You can assign ports to individual LDAP servers and failover groups, or let the Policy Server use the default port numbers for LDAP servers.

The following guidelines apply when specifying port numbers:

If

Then

Any server in a failover group other than the last server contains a port number

The Policy Server assumes that servers in the group that do not have a specific port are using a default port. The default for SSL is 636. The default for non-SSL is 389.

For example, a failover group of servers includes the following:

123.123.12.12:350 123.123.34.34

The first server in the failover group includes port 350. Communication with that server takes place on port 350.

If the first server fails, the Policy Server communicates with the second server using the default port 389 because no port was specified for the second server in the failover group.

Configure Failover

You configure failover to provide for redundancy.Because both directories share the same port number, the failover directory uses the same type of communication (SSL or non-SSL) as the primary directory.

Follow these steps:

  1. Click Configure on the Directory Setup group box on the User Directory pane.
  2. Click Add Failover
  3. Enter the host name and port of the server to which the Policy Server should failover.

    Note: When you do not specify a port number, the Policy Server uses the default port. The default port for SSL is 636. The default port for non-SSL is 389.

  4. Repeat steps two and three to define additional failover servers.

    Note: When you specify a port for the last server and do not specify a port for any other servers in the group, the Policy Server uses the specified port for every server in the group.

  5. Click OK.
Configure Load Balancing

You configure load balancing to have the Policy Server distribute requests evenly across LDAP servers.

Follow these steps:

  1. Click Configure in the Directory Setup group box.
  2. Click Add Load Balancing.
  3. Enter the host name and port of the server to which the Policy Server should load balance.
  4. Repeat steps two and three to define additional load balancing servers.
  5. Click OK.

    The User Directory pane opens. The Server field lists the servers designated for load balancing. A comma (,) separates each server designated for load balancing.

Configure Load Balancing and Failover

To spread requests over multiple servers and provide redundancy, you configure load balancing and failover.

Follow these steps:

  1. Click Configure in the Directory Setup group box.
  2. Enter the host name and port of the Policy Server that is designated for failover.

    When you do not specify a port number, the Policy Server uses the default port. The default port for SSL is 636. The default port for non-SSL is 389.

  3. Repeat steps two and three to define other failover servers.

    When you specify a port for the last server, and you do not specify other ports, the Policy Server uses the specified port for the other servers

  4. Click Add Load Balancing.

    A new Failover Group opens.

  5. Enter the host name and port of the Policy Server that is designated for load balancing.

    Note: You can add the same server multiple times for load balancing, which forces more requests to a specific system. For example, consider two servers in a group: Server1 and Server2. Server1 is a high-performance server and Server2 is a lesser system. You can add Server1 to the load balancing list twice so that it processes two requests for each request that Server2 processes.

  6. Repeat steps five and six to define other load balancing servers.
  7. Click OK.

    The User Directory pane opens. The Server fields lists the servers that are designated for failover and load balancing. A space separates each server that is designated for failover. A comma (,) separates each server that is designated for load balancing.

Use Case - Load Balancing and Failover

In this example, a CA SiteMinder® environment contains two user directories, A and B, which must meet the following requirements:

Spaces represent failover and commas represent load balancing The requirement is written as:

A B, B A

Solution:

The configuration requires two failover groups.

  1. Add user directory B to the first failover group.

    The current configuration is A B.

  2. Add a load balancing group.

    Note: Load balancing groups open as new failover groups.

  3. List user directory B as the first server in the load balancing group.

    The current configuration is A B, B.

  4. List user directory A as the second server in the load balancing group.

The result is two failover groups: "A B" and "B A", which load balance each other. If both directories are available, load balancing occurs between the first directories in each failover group: A and B. If user directory A becomes unavailable, failover occurs to user directory B. This action results in user directory B handling all of the requests until user directory A becomes available.