Use the LDAP context–sensitive storage controls to point CA SiteMinder® to an LDAP directory server that is configured as:
Consider the following items:
To configure an LDAP database
Note: You can specify multiple servers in this field to allow for LDAP server failover.
Note: If you select this option, you must specify a certificate database in the Netscape Certificate Database File field.
If you have multiple LDAP directories, you can configure directories for failover. To enable failover, enter LDAP server IP addresses and port numbers in the LDAP Server field as a space-delimited list of LDAP server addresses. You can specify a unique port for each server. If your LDAP servers are running on a non-standard port (389 for non SSL/ 636 for SSL), append the port number to the last server IP address using a ‘:’ as a delimiter. For example, if your servers are running on ports 511 and 512, you can enter the following:
123.123.12.11:511 123.123.12.22:512
If the LDAP server 123.123.12.11 on port 511 did not respond to a request, the request is automatically passed to 123.123.12.22 on port 512.
If all of your LDAP servers are running on the same port, you can append the port number to the last server in the sequence. For example, if all of your servers are running on port 511, you can enter the following:
123.123.12.11 123.123.12.22:511
Enhancements have been made to CA SiteMinder®’s LDAP referral handling to improve performance and redundancy. Previous versions of CA SiteMinder® supported automatic LDAP referral handling through the LDAP SDK layer. When an LDAP referral occurred, the LDAP SDK layer handled the execution of the request on the referred server without any interaction with the Policy Server.
CA SiteMinder® now includes support for non-automatic (enhanced) LDAP referral handling. With non-automatic referral handling, an LDAP referral is returned to the Policy Server rather than the LDAP SDK layer. The referral contains all of the information necessary to process the referral. The Policy Server can detect whether the LDAP directory specified in the referral is operational, and can terminate a request if the appropriate LDAP directory is not functioning. This feature addresses performance issues that arise when an LDAP referral to an offline system causes a constant increase in request latency. Such an increase can cause CA SiteMinder® to become saturated with requests.
To configure LDAP referral handling
Important! If you are accessing this graphical user interface on Windows Server 2008, open the shortcut with Administrator permissions. Use Administrator permissions even if you are logged in to the system as an Administrator. For more information, see the release notes for your CA SiteMinder® component.
Mark this check box to allow the Policy Server to use enhanced handling LDAP referrals at the Policy Server, rather than allowing LDAP referral handling by the LDAP SDK layer.
Indicates the maximum number of consecutive referrals that will be allowed while attempting to resolve the original request. Since a referral can point to a location that requires additional referrals, this limit is helpful when replication is misconfigured, causing referral loops.
Large LDAP policy stores can cause Administrative UI performance issues.
To prevent these problems, you can modify the values of the following registry settings:
Specifies the Administrative UI buffer size (the maximum amount of data [bytes] that is passed from the Policy Server to the Administrative UI in one packet).
Configure this setting at the following registry location:
HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion \PolicyServ\
We recommend using caution when setting this value. Allocation of a larger buffer decreases overall performance.
Range: 256 KB to 2,097,000 KB
Default: 256 KB (also applies when this registry setting does not exist).
Specifies the search timeout, in seconds, for LDAP policy stores.
Configure this setting at the following registry location:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Netegrity\SiteMinder\CurrentVersion \LdapPolicyStore\SearchTimeout
Examples of factors which influence the appropriate value for this setting include (but are not limited to) the following items:
A large enough value prevents any LDAP timeouts when fetching large amounts of policy store data.
Limit: Use hexadecimal numbers.
Default: 0x14 (20 seconds). This value is also used when the registry setting does not exist.
Example: 0x78 (120 seconds)
Copyright © 2014 CA.
All rights reserved.
|
|