|Applies To||RSA ClearTrust 5.5.3 Data Adapter Active Directory|
connection.disableservertime is set to a low value, like 30000
|Issue||Very slow failover from primary RSA ClearTrust LDAP datastore to backup datastore|
Machine with primary LDAP datastore fails (powered off)
Users cannot authenticate
|Resolution||If a primary datastore completely fails (the machine is powered off and TCP connections are NOT being refused with an RST response) the failover time to the secondary data store might be quite long. The LDAP failover time can be explained with the following formula:|
defaulttimeout (ms) * retrycount ) * number_of_connections_open_to_the_datastore
The defaulttimeout and retrycount can be configured in ldap.conf (see below). The max. number of open data connections can be configured there as well.
The amount of time it takes for a failover to occur heavily depends on the number of connections open with the datastore. The higher the number, the longer it will take for the failover to occur.
Now, knowing that, it is possible to "tune" ldap.conf so that the maximum number of open connections doesn't grow too big. At the same time, set the defaulttimeout values to something lower, so that CT won't wait too long for an answer from the LDAP server.
In addition, in the agent configuration file, make sure that you configure the value of cleartrust.agent.auth_server_timeout to something higher than the maximum failover time. Depending on your environment, this value should be set to a couple of minutes at the very least.
Here a couple of values that may be used in order to reduce the failover time.
It is possible to obtain a failover time of about 40 + 40 seconds with the values above. Note that you'll have to adapt those values to your environment. Also, make sure the value of the following:
is set to at least ten minutes. Otherwise the failover algorithm will try to re-establish the connection to the primary datastore too often, leading to further delays.
|Legacy Article ID||a26826|