AxM - How to set ldap.conf for complete ldap failure
RSA Access Manager (aka Cleartrust) Server 6.0.x LDAP datastores used in failover mode
AxM - How to set ldap.conf for complete ldap failure When a catastrophic total LDAP failure has occured, and all directory servers are down, CT will wait the time specified by the disableservertime before connecting. even if directory server(s) become available.
In an extreme situation where all configured failover data stores have been disabled during the processing of a command (e.g. due to connection related problems), ClearTrust can be configured to reenable all the data stores, and then try processing again. If this feature is desired, you will need to add this entry to your ldap.conf file, and set the value to true:
This parameter was introduced via Cleartrust 5.5.3 Hotfix 188.8.131.52 (which was introduced in 2006) and also available in Access Manager 6.0.2. Contact Customer Support to request the latest hotfix for 5.5.3, noting that all hotfixes are cumulative.
From the readme for hotfix 184.108.40.206:
LDAP data store failover has been improved and made more reliable. Other improvements addressed in this hotfix include:
- Read and write-specific command timeout values can be configured to override the configured .defaulttimeout value. As part of this, timeout errors on write commands now can initiate failover. If desired, please add these entries to your ldap.conf file:
# Sets a timeout value specific to data store write operations # (add, modify, delete). If this is unspecified then the value # specified by .defaulttimeout will be used. # # Allowed Values: # Any positive integer that represents a number of milliseconds. # # Default Value: # Same value as .defaulttimeout # cleartrust.data.ldap.directory.iplanet.connection.write_timeout :15000
# Sets a timeout value specific to data store read operations # (authenticate, compare, read, search). If this is unspecified # then the value specified by .defaulttimeout will be used. # # Allowed Values: # Any positive integer that represents a number of milliseconds. # # Default Value: # Same value as .defaulttimeout # cleartrust.data.ldap.directory.iplanet.connection.read_timeout :15000
- In the extreme situation where all configured failover data stores have been disabled during the processing of a command (e.g. due to connection related problems), ClearTrust can be configured to reenable all the data stores and try the command again. If this feature is desired please add this entry your ldap.conf file and set the value to true:
# ClearTrust normally throws an exception when all configured data # stores have been disabled and there are no more data stores to # failover to. Setting this parameter to true causes ClearTrust # to reenable all the datastores before their configured .disableServertime # period has expired. The pending command will be tried again # against the data stores which had not been tried during the first # iteration. This ensures all data stores have been tried at least # (and at most) one time before giving up completely. This might be # useful in a dynamic directory environment where a data store could # become available again shortly after it was disabled. Setting this # to true could have a negative effect on performance as ClearTrust # tries the command against directories that in fact have not become # available again. # # Allowed Values: # true | false # # Default Value: # false # # Dependencies: # This parameter is only used when failover has been configured. # cleartrust.data.ldap.reenable_all_after_last_failover :false
- Improved logging of failover events, including which data store is being disabled, which data store is being failed over to, which LDAP command initiated the failure and the LDAP error that was returned.
- The data store connection pool "keep alive" task has been improved so that all the connections to a directory are not locked up while the task runs.
Reference solution note a41215 which further discusses the disableservertime setting.