The Policy Server can spread LDAP queries over multiple LDAP servers to enable failover and load balancing. If configured for failover, the Policy Server uses one LDAP server to fulfill requests until that server fails to respond. When the default server does not respond, the Policy Server routes the request to the next server specified for failover. This process can be repeated over multiple servers. Once the default server is able to fulfill requests again, the Policy Server routes requests to the original server.
If configured for load balancing, the Policy Server spreads requests over the specified LDAP servers. This distributes requests evenly across LDAP servers. Coupled with failover, load balancing provides faster, more efficient access to LDAP user directory information, with the added benefit of redundancy in the event of a server failure.
You can assign ports to individual LDAP servers and failover groups, or let the Policy Server use the default port numbers for LDAP servers.
The following guidelines apply when specifying port numbers:
If |
Then |
---|---|
any server in a failover group other than the last server contains a port number |
The Policy Server assumes that servers in the group that do not have a specific port are using a default port. The default for SSL is 636. The default for non-SSL is 389. For example, a failover group of servers includes the following: 123.123.12.12:350 123.123.34.34 The first server in the failover group includes port 350. Communication with that server takes place on port 350. If the first server fails, the Policy Server communicates with the second server using the default port 389 because no port was specified for the second server in the failover group. |
You configure failover to provide for redundancy if the primary LDAP directory connection becomes unavailable.
Note: If you are adding a server for failover, the failover directory must use the same type of communication (SSL or non-SSL) as the primary directory, since both directories share the same port number.
To configure failover
The Directory Failover and Load Balancing Setup pane opens. The primary user directory opens in the Failover Group.
Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.
Host and Port fields open.
Note: If you do not specify a port number, the Policy Server uses the default port. The default port for SSL is 636. The default port for non-SSL is 389.
Note: If you specify a port for the last server, but do not specify a port for any other servers in the group, the Policy Server uses the specified port for every server in the group.
The User Directory pane opens. The Server field lists the servers designated for failover. A space separates each server designated for failover.
You configure load balancing to have the Policy Server distribute requests evenly across LDAP servers.
To configure load balancing
The Directory Failover and Load Balancing Setup pane opens. The primary user directory opens in the Failover Group.
Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.
A new Failover Group opens.
The User Directory pane opens. The Server field lists the servers designated for load balancing. A comma (,) separates each server designated for load balancing.
You configure load balancing and failover to spread requests over multiple servers, and to provide for redundancy if the primary directory connection becomes unavailable.
To configure load balancing and failover
The Directory Failover and Load Balancing Setup pane opens. The primary user directory opens in the Failover Group.
Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.
Note: If you do not specify a port number, the Policy Server uses the default port. The default port for SSL is 636. The default port for non-SSL is 389.
Note: If you specify a port for the last server, but do not specify a port for any other servers in the group, the Policy Server uses the specified port for every server in the group.
A new Failover Group opens.
Note: You can add the same server multiple times for load balancing, which forces more requests to be serviced by a specific system. For example, consider two servers in a group: Server1 and Server2. Server1 is a high-performance server and Server2 is a lesser system. You can add Server1 to the load balancing list twice so that it will process two requests for each request processed by Server2.
The User Directory pane opens. The Server fields lists the servers designated for failover and load balancing. A space separates each server designated for failover. A comma (,) separates each server designated for load balancing.
In this example, a CA SiteMinder® environment contains two user directories, A and B, which must meet the following requirements:
Where spaces represent failover and commas represent load balancing, the requirement is written as:
A B, B A
Solution:
The configuration requires two failover groups.
The current configuration is A B.
Note: load balancing groups open as new failover groups.
The current configuration is A B, B.
The result is two failover groups: "A B" and "B A", which load balance each other. If both directories are available, load balancing occurs between the first directories in each failover group: A and B. If user directory A becomes unavailable, failover occurs to user directory B. This results in user directory B handling all of the requests until user directory A becomes available.
Copyright © 2013 CA.
All rights reserved.
|
|