LDAP Failover
From MsgServerDocWiki
How do I configure LDAP directory server failover?
Contents |
[edit] Introduction
This information is applicable to Comm-Suite-5 products running on Solaris x86 or Sparc. The paths will vary for Redhat Linux installations of Comm-Suite-5.
For this example, LDAP directory server access is provided by two multi-master DSEE (Directory Server Enterprise Edition) 6 nodes "ldap1.sun.com" and "ldap2.sun.com" for the suffixes o=comms-config, o=pab, o=PiServerDb, and for the user/group suffix o=sun.
[edit] Fail-over vs Load Balancing
These steps are to configure LDAP directory server fail-over. This is not the same as directory server load-balancing. For directory server fail-over, the primary server (the first server listed in the configuration options) will have all LDAP based queries sent to it. If the primary server is off-line or unavailable for some reason, then the secondary server will have all LDAP queries sent to it.
Load-balancing distributes load across a number of directory servers, usually based on some weighted distribution. Load-balancing usually includes the ability to fail-over traffic from a non-functional server to the remaining active servers.
To achieve load-balancing, you can use the Directory Server Proxy software. This software is provided with the Comm-Suite-5 installer, please note however that you may not be licensed to use this software - please verify this with your Sun Account Manager.
[edit] Directory server replication
Directory server 6 (provided with the comm-suite-5 installer) makes the creation of an LDAP replica master much simpler then in the past.
The overview steps are as follows:
1. Install and configure the directory server control center (DSCC) on the primary ldap server (ldap1.sun.com) 2. Run the comm-suite-5 installer on a second system/zone, install Directory Server 6 (ldap2.sun.com) 3. After installation of the second instance, run the /opt/SUNWcomds/sbin/comm_dssetup.pl command against the second ldap install (ldap2.sun.com) 4. Access the directory server control center on the primary system, configure access to the second directory server system 5. Replicate out the suffixes o=comms-config, o=pab, o=PiServerDb, and your user/group suffix (o=sun) from ldap1.sun.com to ldap2.sun.com 6. Promote ldap2.sun.com from replica -> consumer -> master for all of the suffixes in (5) so that ldap2 can accept modifications. 7. Replicate out the suffixes o=comms-config, o=pab, o=PiServerDb, and your user/group suffix (o=sun) from ldap2.sun.com to ldap1.sun.com so now multi-master replication is established. 8. Verify replication by changing a users password on ldap1.sun.com and verify the change went to ldap2.sun.com and vice-versa. 9. Copy out directory server settings from ldap1.sun.com to ldap2.sun.com using the Common Tasks -> Deployment -> "Copy Configuration Settings from One Directory Server to Other Servers" facility in DSCC
[edit] Calendar Server 6.3
Edit /etc/opt/SUNWics5/config/ics.conf
Set the following configuration values:
local.authldaphost="ldap1.sun.com ldap2.sun.com:389" local.ugldaphost="ldap1.sun.com ldap2.sun.com:389"
Restart Calendar services:
cd /opt/SUNWics5/cal/sbin/ ./stop-cal; ./start-cal
[edit] Messaging Server 6.3
Set the following configuration values:
cd /opt/SUNWmsgsr/sbin ./configutil -o local.ugldaphost -v "ldap1.sun.com ldap2.sun.com:389" ./configutil -o local.service.pab.ldaphost -v "ldap1.sun.com ldap2.sun.com:389" ./configutil -o local.service.pab.alwaysusedefaulthost -v "yes" ./imsimta cnbuild
Note: The alwaysusedefaulthost is required to override users who have paburi attribute settings which don't have multiple hosts listed. Without this setting you will need to either remove or change all the existing users who have this value set.
Stop and start Messaging Server services
cd /opt/SUNWmsgsr/sbin ./stop-msg; ./start-msg
[edit] Messaging Multi-Plexor (optional)
Edit /var/opt/SUNWmsgsr/config/ImapProxyAService.cfg
Set the following configuration values:
default:LdapUrl "ldap://ldap1.sun.com:389 ldap2.sun.com:389/o=internet"
Edit /var/opt/SUNWmsgsr/config/PopProxyAService.cfg
Set the following configuration values:
default:LdapUrl "ldap://ldap1.sun.com:389 ldap2.sun.com:389/o=internet"
Restart the messaging multiplexor software:
cd /opt/SUNWmsgsr/sbin ./stop-msg mmp; ./start-msg mmp
[edit] Access Manager
Edit /etc/opt/SUNWam/config/serverconfig.xml
Add a line like this after 'Server1' line in the name="default" ServerGroup:
<Server name="Server2" host="ldap2.sun.com" port="389" type="SIMPLE" />
Stop and start the web container
1. Log into amconsole (http://<am host>/amconsole) as the "amadmin" user 2. Click on "Service Configuration" tab 3. Click on the triangle next to the "LDAP" Service name 4. Scroll down to "Secondary LDAP Server:" in the right-hand pane 5. Add the server ldap2.sun.com:389, click add, then scroll up and click 'Save'
6. Click on the "Identity Management" tab 7. From the drop-down box in the left-hand menu, select "Services" 8. Click on the triangle next to the "LDAP" Service name 9. Scroll down to "Secondary LDAP Server:" in the right-hand pane 10. Add the server ldap2.sun.com:389, click add, then scroll up and click 'Save'
Note: Please refer to Sun Java System Access Manager 7.1 Deployment Planning Guide for further details regarding multiple directory server configuration.
[edit] Communications Express (UWC) - Login
Edit /var/opt/SUNWuwc/WEB-INF/config/uwcauth.properties
Set the following configuration values:
ldapusersession.ldaphost = ldap1.sun.com,ldap2.sun.com:389
Stop and start the web container
[edit] Communications Express (UWC) - Addressbook
Edit /var/opt/SUNWuwc/WEB-INF/config/corp-dir/db_config.properties
Set the following configuration values:
defaultserver.ldaphost=ldap1.sun.com,ldap2.sun.com:389
Edit /var/opt/SUNWuwc/WEB-INF/config/ldappstore/db_config.properties
Set the following configuration values:
defaultserver.ldaphost=ldap1.sun.com,ldap2.sun.com:389
[edit] Instant Messaging 7.2
No changes needed if Access Manager is configured for Authentication and Configuration storage.
Note: User and Group lookup functionality will be non-operational whilst the primary LDAP server is unavailable.
If direct LDAP authentication and local storage of configuration is used, then LDAP fail-over support is not available. LDAP fail-over support is scheduled for the next release.
[edit] Delegated Administrator 6.4
Delegated Administrator 6.4 does not support LDAP failover.
Applies to: Messaging Server 6.3
Answered by: Nate K., Shane H.
Date initially answered: June 29, 2007
