Configuring High Availability of the LDAP Data
Source
Use
To avoid unnecessary downtime due to an unavailable LDAP server, you can set up the LDAP data source to be highly available. The User Management Engine (UME) allows you to configure a failover scenario with more than one server, whereby a secondary server takes over when the main server becomes unavailable.
The failover scenario works as follows:
...
1. You configure UME with a list of LDAP servers. The first server in the list is the main server. The remaining servers are failover servers.
2. At startup, UME accesses the first server and the connection pool is initialized with that server.
3. If the main servers fails, UME tries to connect to the next server in the list. If that one is not available, it tries to connect to the following server in the list, and so on until it establishes a connection to a working server.
If none of the servers are available, an exception occurs.
4. The connection pool is initialized with the new LDAP server.
5. After a certain (configurable) amount of time, UME tries to reconnect to the main server.
Prerequisites
On all the LDAP servers used in the failover scenario, the part of the structure that is visible for UME must be the same. This is because UME uses the distinguished name of a user or a group to identify the object in the directory server.
Procedure
You configure high availability of the LDAP data source using UME properties.
The following table provides an overview of the properties that you need to set:
Property Name |
Description |
ume.ldap.access.server_name |
Comma-separated list of LDAP directory servers. |
ume.ldap.access.server_port |
Comma-separated list of ports for the LDAP directory servers (in the same order as the servers). |
ume.ldap.access.default_switch |
Time in minutes after which UME tries to reconnect to the main server. Default value is 10. |
ume.ldap.access.action_retrial |
In a failover scenario: Number of times UME repeats an action on the LDAP directory server, before switching to another server and reinitializing the connection pools. In a scenario with only one LDAP server: Number of times UME repeats an action on the LDAP directory server before throwing an exception. Default value is 2. |
Make sure that the server names and the ports correspond to each other.
For example, if you have the following values:
ume.ldap.access.server_name=p66192,p66193
ume.ldap.access.server_port=11811,389
UME will try to access the following servers: p66192:11811 and p66193:389.
There will be an exception during initialisation if the number of servers and the number of ports are different.
Example
The following is an example of values for the UME properties.
ume.ldap.access.server_name=
p66192,p66193,p66194,p66195, p66196
ume.ldap.access.server_port=11811,389,389,389,389
ume.ldap.access.base_path.user=ou=Europe,dc=um.wdf.sap.corp
ume.ldap.access.base_path.grup=ou=Europe,dc=um.wdf.sap.corp
ume.ldap.access.default_switch=30
In this example, the complete URL for the user search is ldap://p66192:11811/ou=Europe,dc=um.wdf.sap.corp or, ldap://p66193:389/ou=Europe,dc=um.wdf.sap.corp, and so on.
In this example, the failover scenario works as follows:
...
1. If the main server (p66192) is not available, UME switches to the next failover server (p66193).
2. If the failover server (p66193) is not available, UME switches to the next failover server (p66194).
3. If this server (p66914) is available, it is used to initialise the connection pool.
If, on the other hand, this server is down, and UME continues switching to the next server until it reaches the original server (p66192) again, this means that all servers are unavailable. In this case UME throws an exception that no server is available.