Symantec Access Management

  • Private Community

  • 1.  Need some clarification on LDAP load balancing and failover configuration

    Posted Apr 19, 2018 12:11 PM

    Hello Everyone,

     

    I need some clarification on LDAP load balancing and failover configuration setup on a siteminder environment. Here is the current setup we are having in our production environment.

     

    Load balancing:

       Failover Group:

          Server 1

          Server 2

          Server 3

       Failover Group:

          Server 4

          Server 5

          Server 6

          Server 7

       Failover Group:

          Server 1

          Server 2

          Server 3

       Failover Group:

          Server 3

          Server 2

          Server 1

     

    On total we are having 7 different servers in 4 different failover groups. I just wanna understand how the load balancing and failover works in this configuration and all these servers using port 636 to connect to AD.

     

    All replies are greatly appreciated.

     

    Our Environment:

    SiteMinder policy server: 12.52 SP1 CR06

    Operating system : RHEL 6.x

    All these servers are microsoft active directory servers. 



  • 2.  Re: Need some clarification on LDAP load balancing and failover configuration

    Posted Apr 19, 2018 10:17 PM

    Hi Naveen,

     

    Refer : Tech Tip : CA Single Sign-On :: PolicyServer::Cluster vs Non-Cluster Load balancing 

     

    Regards,

    Leo Joseph.



  • 3.  Re: Need some clarification on LDAP load balancing and failover configuration

    Broadcom Employee
    Posted Apr 20, 2018 02:22 PM

    Naveen,  The tech tip provided by Leo is good, but that's for PS Clustering and LB. I have a question regarding your current LDAP server configuration.  How and why did you (or somebody) choose to do this particular setup (as you have described) in the first place?  What were the  criteria?

    - thanks, Vijay



  • 4.  Re: Need some clarification on LDAP load balancing and failover configuration

    Posted Apr 22, 2018 11:49 PM

    In perfect scenerio (all 7 server up) here is how it works :

     

    Policy server will load balance incoming request between :

     

    • Server 1  (Failover Group 1)
    • Server 4  (Failover Group 2)
    • Server 1  (Failover Group 3)
    • Server 3  (Failover Group 4)

     

    (Basically PS will use the first specified LDAP server in each failover group)

     

    Now, if in any failover group if the first server fails to connect, PS will failover to second server (and then to third and fourth in order) in that failover group.

    For e.g , let say Server 4 is down, then PS will failover to Server 5 in Failover group 2.

     

    How are you defining the same server across different failover group ? They need to be specified as alias and not using the same hostname/IP.., more here : How to configure LDAP banks 

     

    Let me know if any questions.

     



  • 5.  Re: Need some clarification on LDAP load balancing and failover configuration

    Posted Apr 23, 2018 12:24 PM

    Shrestha,

     

    Using the same servers in the same order in the Failover groups 1 & 3 might not be a right configuration on our side. But using the same servers in different order in Failover groups 1 & 4 may be a okay i think.

     

    Can you please let me know if in any failover group if a server fails to connect, how much time it takes to failover to next server within the same failover group?

     

    Thank you,

    Naveen



  • 6.  Re: Need some clarification on LDAP load balancing and failover configuration
    Best Answer

    Posted Apr 23, 2018 07:38 PM

    My comments inline.

     

    Using the same servers in the same order in the Failover groups 1 & 3 might not be a right configuration on our side. But using the same servers in different order in Failover groups 1 & 4 may be a okay i think.

     

    Ujwol => Correct. As the idea is to load balance the request among all your available servers, it is best that you ensure the configuration allows that.

     

    Can you please let me know if in any failover group if a server fails to connect, how much time it takes to failover to next server within the same failover group?

     

    Ujwol => The failover is instant if it detects a connection error (LDAP error 81/91)

    See below :

     

    [12/11/2014][10:10:03.163][15305][3814390640][ LogMessage:ERROR:[sm-Ldap-02230] Error# '81' during search: 'error: Can't contact LDAP server' Search Query = '(uid=A15)'][10:10:03][SmDsLdapConnMgr.cpp:1180]
    [12/11/2014][10:10:03.163][15305][3814390640][ LDAP search of (uid=A15) took 0 seconds and 715 microseconds][10:10:03][SmDsLdapConnMgr.cpp:1191][CSmDsLdapConn::SearchExts]
    [12/11/2014][10:10:03.163][15305][3814390640][ Ldap Search failed, ErrorMsg is Can't contact LDAP server][10:10:03][SmDsLdapFunctionImpl.cpp:3119][CSmDsLdapProvider::SearchExts]
    [12/11/2014][10:10:03.163][15305][3814390640][ Marked dir connection (seq: 3) CAldap002-1.mysite.com:2001 as Close Pending][10:10:03][SmDsLdapConnMgr.cpp:501][CSmDsLdapConnMgr::AddDeadHandleList]
    [12/11/2014][10:10:03.163][15305][3814390640][ Marked dir connection (seq: 1) CAldap002-1.mysite.com:2001 as Close Pending][10:10:03][SmDsLdapConnMgr.cpp:501][CSmDsLdapConnMgr::AddDeadHandleList]
    [12/11/2014][10:10:03.163][15305][3814390640][ Marked user connection (seq: 2) CAldap002-1.mysite.com:2001 as Close Pending][10:10:03][SmDsLdapConnMgr.cpp:501][CSmDsLdapConnMgr::AddDeadHandleList]
    [12/11/2014][10:10:03.163][15305][3814390640][ LogMessage:INFO:[sm-Server-04380] Failing over to LDAP server 'CAldap001-1.mysite.com:2001' in LDAP server bank #1.][10:10:03][SmDsLdapFunctionImpl.cpp:2133]
    [12/11/2014][10:10:03.163][15305][3814390640][ Rebind attempt on 'dir' connection to best LDAP server 'CAldap001-1.mysite.com:2001'][10:10:03][SmDsLdapFunctionImpl.cpp:2175][CSmDsLdapProvider::RebindServer]

     

    If a directory/search thread detects an error with the LDAP connection, it will failover to the next server from the failover group. The ServerCheckerThread ( A thread which monitors LDAP server avaialbility periodically) is woken up early.  If the directory instance is still up and working (the handle timed out, etc.), then the ServerCheckerThread will likely mark the directory instance as good again after it checks it, and then failback will occur. 

     

    Having said this, how long will it take to establish connection with the failover (new ) server depends on the response times of the LDAP server itself. 

     

    Few related KB for your reference :

     

    Tech Tip - CA Single Sign-On: PolicyServer :: LDAPPingTimeout Explained 

    Tech Tip - CA Single Sign-On: Policy Server :: Policy Server Hung if LDAP User Directory is unresponsive/slowly performing. 



  • 7.  Re: Need some clarification on LDAP load balancing and failover configuration

    Posted Apr 24, 2018 04:30 PM

    Shrestha,

     

    • Server 3  (Failover Group 4)
    • Server 2  (Failover Group 4)

     

    Based on smps log

    [7256/2827307888][Thu Apr 19 2018 01:31:19][SmDsLdapConnMgr.cpp:909][ERROR][sm-Ldap-01370] SmDsLdapConnMgr Bind. Server Server 3 : 636. Error 81-Can't contact LDAP server

    [7256/2827307888][Thu Apr 19 2018 01:31:19][SmDsLdapFunctionImpl.cpp:2160][INFO][sm-Server-04380] Failing over to LDAP server 'Server 2:636' in LDAP server bank #4.

     

    seems like within no time its failed over from Server 3 (Failover Group 4) to Server 2 (Failover Group 4). After sometime it's again failed back to Server 3 (Failover Group 4). I think Server 3 again available for policy server to connect.

     

    [7256/3959438192][Thu Apr 19 2018 01:31:25][SmDsLdapFunctionImpl.cpp:2155][INFO][sm-Server-04390] Failing back to LDAP server 'Server3:636' in LDAP server bank #4

     

    Thanks,

    Naveen



  • 8.  Re: Need some clarification on LDAP load balancing and failover configuration

    Posted Apr 24, 2018 05:43 PM

    Correct