Article Number
000013578
Applies To
RSA Access Manager (aka Cleartrust) Server 6.0.x
LDAP datastores used in failover mode
Issue
AxM - How to set ldap.conf for complete ldap failure
When a catastrophic total LDAP failure has occured, and all directory servers are down, CT will wait the time specified by the disableservertime before connecting. even if directory server(s) become available.
Resolution
In an extreme situation where all configured failover data stores have been disabled during the processing of a command (e.g. due to connection related problems), ClearTrust can be configured to reenable all the data stores, and then try processing again. If this feature is desired, you will need to add this entry to your ldap.conf file, and set the value to true:
cleartrust.data.ldap.reenable_all_after_last_failover :true
This parameter was introduced via Cleartrust 5.5.3 Hotfix 5.5.3.102 (which was introduced in 2006) and also available in Access Manager 6.0.2. Contact Customer Support to request the latest hotfix for 5.5.3, noting that all hotfixes are cumulative.
Notes
From the readme for hotfix 5.5.3.102:
LDAP data store failover has been improved and made more
reliable. Other improvements addressed in this hotfix include:
- Read and write-specific command timeout values can be
configured to override the configured .defaulttimeout
value. As part of this, timeout errors on write commands
now can initiate failover. If desired, please add these
entries to your ldap.conf file:
# Sets a timeout value specific to data store write operations
# (add, modify, delete). If this is unspecified then the value
# specified by .defaulttimeout will be used.
#
# Allowed Values:
# Any positive integer that represents a number of milliseconds.
#
# Default Value:
# Same value as .defaulttimeout
#
cleartrust.data.ldap.directory.iplanet.connection.write_timeout :15000
# Sets a timeout value specific to data store read operations
# (authenticate, compare, read, search). If this is unspecified
# then the value specified by .defaulttimeout will be used.
#
# Allowed Values:
# Any positive integer that represents a number of milliseconds.
#
# Default Value:
# Same value as .defaulttimeout
#
cleartrust.data.ldap.directory.iplanet.connection.read_timeout :15000
- In the extreme situation where all configured failover data stores have
been disabled during the processing of a command (e.g. due to connection
related problems), ClearTrust can be configured to reenable all the
data stores and try the command again. If this feature is desired
please add this entry your ldap.conf file and set the value to true:
# ClearTrust normally throws an exception when all configured data
# stores have been disabled and there are no more data stores to
# failover to. Setting this parameter to true causes ClearTrust
# to reenable all the datastores before their configured .disableServertime
# period has expired. The pending command will be tried again
# against the data stores which had not been tried during the first
# iteration. This ensures all data stores have been tried at least
# (and at most) one time before giving up completely. This might be
# useful in a dynamic directory environment where a data store could
# become available again shortly after it was disabled. Setting this
# to true could have a negative effect on performance as ClearTrust
# tries the command against directories that in fact have not become
# available again.
#
# Allowed Values:
# true | false
#
# Default Value:
# false
#
# Dependencies:
# This parameter is only used when failover has been configured.
#
cleartrust.data.ldap.reenable_all_after_last_failover :false
- Improved logging of failover events, including which data store
is being disabled, which data store is being failed over to, which
LDAP command initiated the failure and the LDAP error that was
returned.
- The data store connection pool "keep alive" task has been improved
so that all the connections to a directory are not locked up while
the task runs.
Reference solution note a41215 which further discusses the disableservertime setting.
