CA SiteMinder® Federation Standalone Guide › User Directory Connections for Authentication › LDAP Directory Connection

LDAP Directory Connection

You can establish a connection to an LDAP directory so CA SiteMinder® Federation Standalone can use it as a user store for authentication.

Follow these steps:

1. Click the User Directory tab.
2. Click Connect to LDAP in the User Directory List section.
3. Configure the settings in each section. Parameters marked by red dots are required.

   Note: Click Help for a description of fields, controls, and their respective requirements.

4. Click Failover/Load Balancing if you want to set up either of these features.
5. Click Test Connection to verify that the directory connection is valid.

   You can click View Contents to list the contents of the user directory.

   Note: The View Contents button is displayed only if the Search Root, Start User DN Lookup, End User DN Lookup, and Universal ID Attribute values are set

6. Click Save.

   If your settings are valid, you are redirected to the View User Directories dialog.

   The connection to the LDAP directory is configured.

Load Balancing and Failover for LDAP User Directories

CA SiteMinder® Federation Standalone can distribute LDAP user directory requests over multiple LDAP servers for failover and load balancing.

For load balancing, the system evenly spreads requests over the specified LDAP servers. Coupled with failover, load balancing provides faster, more efficient access to LDAP user directory information.

For failover, the system uses one LDAP server to fulfill requests until that server fails to respond. When the default server does not respond, the system routes the request to the next server configured for failover. This process can be repeated over multiple servers. After the default server is able to fulfill requests again, requests go back to the original server.

Follow these steps:

1. Select the User Directory tab in the UI.
2. Do one of the following:
   • Select Connect to LDAP to create an LDAP directory connection.
   • Select Action, Modify next to an existing LDAP entry you want to edit.

   The User Directory dialog opens.

3. Click Configure Load-balancing or Failover or both in the Configure LDAP User Directory section of the dialog.

   The LDAP Server Load-balancing and Failover table displays.

4. Enter the IP address and port number of in the form, ip_address:port, in the first Failover Node field. Add the addresses of subsequent directory servers in the remaining fields for failover.

   Note: If you are adding a server for failover, the failover directory must use the same type of communication (SSL or non-SSL) as the primary directory. Both directories share the same port number.

   If you only have one entry in the table, then only failover is supported.

5. To configure another group for load balancing, click Add Row and complete the fields as you did in the previous step.

   You can add the same server multiple times for load balancing, which forces a single system to handle more requests. For example, consider two servers in a group: Server1 and Server2. Server1 is a high-performance server and Server2 is a lesser system. You can add Server1 to the load balancing list twice so that it processes two requests for each request processed by Server2.

Example: Load Balancing and Failover

In this example, a SiteMinder environment contains two user directories, A and B, which must meet the following requirements:

• User directory A must failover to user directory B and load balance with B.
• User directory B must failover to user directory A; and load balance with user directory A.

The configuration requires two load balancing groups.

1. Specify the address for user directory B for the first load balancing group and first failover node.
2. Add a load balancing group by clicking Add row.
3. List user directory B as the first server in the new load balancing group.
4. List user directory A as the second sever in the load balancing group.

The result is two load balancing groups with one server each for failover "A B" and "B A", which load balance each other. If both directories are available, load balancing occurs between the first directories in each group: A and B. If user directory A becomes unavailable, failover occurs to user directory B. This results in user directory B handling all the requests until user directory A becomes available.