000013578 - AxM - How to set ldap.conf for complete ldap failure

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000013578
Applies To RSA Access Manager (aka Cleartrust) Server 6.0.x
LDAP datastores used in failover mode
IssueAxM - How to set  ldap.conf for complete ldap failure
 When a catastrophic total LDAP failure has occured, and all directory servers are down, CT will wait the time specified by the disableservertime before connecting. even if directory server(s) become available. 
Resolution

In an extreme situation where all configured failover data stores have been disabled during the processing of a command (e.g. due to connection related problems), ClearTrust can be configured to reenable all the data stores, and then try processing again.  If this feature is desired, you will need to add this entry to your ldap.conf file, and set the value to true:

cleartrust.data.ldap.reenable_all_after_last_failover :true

This parameter was introduced via Cleartrust 5.5.3 Hotfix 5.5.3.102 (which was introduced in 2006) and also available in Access Manager 6.0.2.  Contact Customer Support to request the latest hotfix for 5.5.3, noting that all hotfixes are cumulative.

NotesFrom the readme for hotfix 5.5.3.102:

LDAP data store failover has been improved and made more
reliable.  Other improvements addressed in this hotfix include:

   - Read and write-specific command timeout values can be
     configured to override the configured .defaulttimeout
     value.  As part of this, timeout errors on write commands
     now can initiate failover. If desired, please add these
     entries to your ldap.conf file:

    # Sets a timeout value specific to data store write operations
    # (add, modify, delete). If this is unspecified then the value
    # specified by .defaulttimeout will be used.
    #
    # Allowed Values:
    #   Any positive integer that represents a number of milliseconds.
    #
    # Default Value:
    #   Same value as .defaulttimeout
    #
    cleartrust.data.ldap.directory.iplanet.connection.write_timeout :15000

    # Sets a timeout value specific to data store read operations
    # (authenticate, compare, read, search). If this is unspecified
    # then the value specified by .defaulttimeout will be used.
    #
    # Allowed Values:
    #   Any positive integer that represents a number of milliseconds.
    #
    # Default Value:
    #   Same value as .defaulttimeout
    #
    cleartrust.data.ldap.directory.iplanet.connection.read_timeout  :15000

   - In the extreme situation where all configured failover data stores have
     been disabled during the processing of a command (e.g. due to connection
     related problems), ClearTrust can be configured to reenable all the
     data stores and try the command again.  If this feature is desired
     please add this entry your ldap.conf file and set the value to true:

    # ClearTrust normally throws an exception when all configured data
    # stores have been disabled and there are no more data stores to
    # failover to. Setting this parameter to true causes ClearTrust
    # to reenable all the datastores before their configured .disableServertime
    # period has expired.  The pending command will be tried again
    # against the data stores which had not been tried during the first
    # iteration. This ensures all data stores have been tried at least
    # (and at most) one time before giving up completely. This might be
    # useful in a dynamic directory environment where a data store could
    # become available again shortly after it was disabled. Setting this
    # to true could have a negative effect on performance as ClearTrust
    # tries the command against directories that in fact have not become
    # available again.
    #
    # Allowed Values:
    #   true | false
    #
    # Default Value:
    #   false
    #
    # Dependencies:
    #   This parameter is only used when failover has been configured.
    #
    cleartrust.data.ldap.reenable_all_after_last_failover :false

   - Improved logging of failover events, including which data store
     is being disabled, which data store is being failed over to, which
     LDAP command initiated the failure and the LDAP error that was
     returned.

   - The data store connection pool "keep alive" task has been improved
     so that all the connections to a directory are not locked up while
     the task runs.

Reference solution note a41215 which further discusses the disableservertime setting.
Legacy Article IDa41220

Attachments

    Outcomes