|Applies To||RSA ClearTrust 5.0.1|
RSA ClearTrust 5.5
Microsoft Active Directory
iPlanet 5.1 Directory Server
LDAP failover does not work in RSA ClearTrust
The default behavior is for the LDAP bind to immediately retry the original primary LDAP server on the next attempt. There will be a delay of several seconds (based on the cleartrust.data.ldap.directory.<server>.connection.defaulttimeout setting) on each try unless you set the disableservertime parameter.
|Resolution||This issue has been resolved in a hot fix for RSA ClearTrust 5.0.1. Contact RSA Security Customer Support to obtain hot fix 220.127.116.11, or request the latest fix level (which is cumulative, and contains fixes from previous fix levels).|
NOTE: This issue was resolved in RSA ClearTrust 5.5.1, but the configuration parameter must be added manually to the ldap.conf file.
Ability to Ignore a Failing LDAP Server
Set the parameter:
cleartrust.data.ldap.directory.<name of directory server>.connection.disableservertime
to disable attempts to connect to failing directory servers by RSA ClearTrust for the configured amount of time. This parameter resides in the ldap.conf file.
In earlier versions, if we were unable to establish a connection to an LDAP server after the number of attempts specified by .retrycount, we would fail over to the next LDAP server in the failover group (if configured). However, the next request would again try to use the ailing server; this could result in very lengthy response times. Now if we fail to establish a connection and are in "soft" failure mode, we will not try to use the server to service requests for the amount of time set by this parameter.
Configured LDAP for failover
The default value for disableservertime is 900000ms or 15 min. Please note that if hotfix 18.104.22.168 or later is applied without providing a value for this parameter, the default value will be used.
|Legacy Article ID||a20858|