000018323 - LDAP failover does not work in RSA ClearTrust

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000018323
Applies ToRSA ClearTrust 5.0.1
RSA ClearTrust 5.5
Microsoft Active Directory
iPlanet 5.1 Directory Server
Issue
LDAP failover does not work in RSA ClearTrust
Cause
The default behavior is for the LDAP bind to immediately retry the original primary LDAP server on the next attempt. There will be a delay of several seconds (based on the cleartrust.data.ldap.directory.<server>.connection.defaulttimeout setting) on each try unless you set the disableservertime parameter.
ResolutionThis issue has been resolved in a hot fix for RSA ClearTrust 5.0.1.  Contact RSA Security Customer Support to obtain hot fix 5.0.1.9, or request the latest fix level (which is cumulative, and contains fixes from previous fix levels).

NOTE: This issue was resolved in RSA ClearTrust 5.5.1, but the configuration parameter must be added manually to the ldap.conf file.
Ability to Ignore a Failing LDAP Server

Set the parameter:

cleartrust.data.ldap.directory.<name of directory server>.connection.disableservertime

to disable attempts to connect to failing directory servers by RSA ClearTrust for the configured amount of time. This parameter resides in the ldap.conf file.

In earlier versions, if we were unable to establish a connection to an LDAP server after the number of attempts specified by .retrycount, we would fail over to the next LDAP server in the failover group (if configured). However, the next request would again try to use the ailing server; this could result in very lengthy response times. Now if we fail to establish a connection and are in "soft" failure mode, we will not try to use the server to service requests for the amount of time set by this parameter.
Workaround
Configured LDAP for failover
Notes
The default value for disableservertime is 900000ms or 15 min.  Please note that if hotfix 5.0.1.9 or later is applied without providing a value for this parameter, the default value will be used.
Legacy Article IDa20858

Attachments

    Outcomes