LDAP Load Balancing and Failover

Policy Server Guides › Policy Server Configuration Guide › User Directories › LDAP Load Balancing and Failover

LDAP Load Balancing and Failover

The Policy Server can spread LDAP queries over multiple LDAP servers to enable failover and load balancing. If configured for failover, the Policy Server uses one LDAP server to fulfill requests until that server fails to respond. When the default server does not respond, the Policy Server routes the request to the next server specified for failover. This process can be repeated over multiple servers. Once the default server is able to fulfill requests again, the Policy Server routes requests to the original server.

If configured for load balancing, the Policy Server spreads requests over the specified LDAP servers. This distributes requests evenly across LDAP servers. Coupled with failover, load balancing provides faster, more efficient access to LDAP user directory information, with the added benefit of redundancy in the event of a server failure.

Port Number Considerations

You can assign ports to individual LDAP servers and failover groups, or let the Policy Server use the default port numbers for LDAP servers.

The following guidelines apply when specifying port numbers:

If	Then
any server in a failover group other than the last server contains a port number	The Policy Server assumes that servers in the group that do not have a specific port are using a default port. The default for SSL is 636. The default for non-SSL is 389. For example, a failover group of servers includes the following: 123.123.12.12:350 123.123.34.34 The first server in the failover group includes port 350. Communication with that server takes place on port 350. If the first server fails, the Policy Server communicates with the second server using the default port 389 because no port was specified for the second server in the failover group.

Then

any server in a failover group other than the last server contains a port number

The Policy Server assumes that servers in the group that do not have a specific port are using a default port. The default for SSL is 636. The default for non-SSL is 389.

For example, a failover group of servers includes the following:

123.123.12.12:350 123.123.34.34

The first server in the failover group includes port 350. Communication with that server takes place on port 350.

If the first server fails, the Policy Server communicates with the second server using the default port 389 because no port was specified for the second server in the failover group.

Configure Failover

You configure failover to provide for redundancy if the primary LDAP directory connection becomes unavailable.

Note: If you are adding a server for failover, the failover directory must use the same type of communication (SSL or non-SSL) as the primary directory, since both directories share the same port number.

To configure failover

Click Configure on the Directory Setup group box on the User Directory pane.
The Directory Failover and Load Balancing Setup pane opens. The primary user directory opens in the Failover Group.

Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.
Click Add Failover.
Host and Port fields open.
Enter the host name and port of the server to which the Policy Server should failover.
Note: If you do not specify a port number, the Policy Server uses the default port. The default port for SSL is 636. The default port for non-SSL is 389.
Repeat steps two and three to define additional failover servers.
Note: If you specify a port for the last server, but do not specify a port for any other servers in the group, the Policy Server uses the specified port for every server in the group.
Click OK.
The User Directory pane opens. The Server field lists the servers designated for failover. A space separates each server designated for failover.

Configure Load Balancing

You configure load balancing to have the Policy Server distribute requests evenly across LDAP servers.

To configure load balancing

Click Configure in the Directory Setup group box.
The Directory Failover and Load Balancing Setup pane opens. The primary user directory opens in the Failover Group.

Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.
Click Add Load Balancing.
A new Failover Group opens.
Enter the host name and port of the server to which the Policy Server should load balance.
Repeat steps two and three to define additional load balancing servers.
Click OK.
The User Directory pane opens. The Server field lists the servers designated for load balancing. A comma (,) separates each server designated for load balancing.

Configure Load Balancing and Failover

You configure load balancing and failover to spread requests over multiple servers, and to provide for redundancy if the primary directory connection becomes unavailable.

To configure load balancing and failover

Click Configure in the Directory Setup group box.
The Directory Failover and Load Balancing Setup pane opens. The primary user directory opens in the Failover Group.

Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.
Enter the host name and port of the server to which the Policy Server should failover.
Note: If you do not specify a port number, the Policy Server uses the default port. The default port for SSL is 636. The default port for non-SSL is 389.
Repeat steps two and three to define additional failover servers.
Note: If you specify a port for the last server, but do not specify a port for any other servers in the group, the Policy Server uses the specified port for every server in the group.
Click Add Load Balancing.
A new Failover Group opens.
Enter the host name and port of the server to which the Policy Server should load balance.
Note: You can add the same server multiple times for load balancing, which forces more requests to be serviced by a specific system. For example, consider two servers in a group: Server1 and Server2. Server1 is a high-performance server and Server2 is a lesser system. You can add Server1 to the load balancing list twice so that it will process two requests for each request processed by Server2.
Repeat steps five and six to define additional load balancing servers.
Click OK.
The User Directory pane opens. The Server fields lists the servers designated for failover and load balancing. A space separates each server designated for failover. A comma (,) separates each server designated for load balancing.

Use Case - Load Balancing and Failover

In this example, a CA SiteMinder® environment contains two user directories, A and B, which must meet the following requirements:

User directory A must (1) failover to user directory B; and (2) load balance with B.
User directory B must (1) failover to user directory A; and (2) load balance with and user directory A.

Where spaces represent failover and commas represent load balancing, the requirement is written as:

A B, B A

Solution:

The configuration requires two failover groups.

Add user directory B to the first failover group.
The current configuration is A B.
Add a load balancing group.
Note: load balancing groups open as new failover groups.
List user directory B as the first server in the load balancing group.
The current configuration is A B, B.
List user directory A as the second sever in the load balancing group.

The result is two failover groups: "A B" and "B A", which load balance each other. If both directories are available, load balancing occurs between the first directories in each failover group: A and B. If user directory A becomes unavailable, failover occurs to user directory B. This results in user directory B handling all of the requests until user directory A becomes available.