I understand each of my policy server has 3 connections(persistent?) to each Directory Server configured. 1 for Bind, 1 Search, 1 for Ping.
YES persistent
Are these 3 connections opened to each of the Directory Server configured in User Directory object?
YES assuming you have 3 servers list for the User Directory Object in round-robin = 9 connections
Are the connections only opened for User Directory objects that are 'BOUND' to a Domain/Policy? Or the connections are opened for each User Directory object created in WAM UI?
First - connections are opened to LDAP user store when request is made for login ()
Second - User Directory Connections are bound to the User Directory Object Name not Domain/Policy – if the same user directory object (3 servers) is used in all domains there will be 9 connections
Is there a concept of idle timeout for 'Bind'/any connections? where is it controlled?
No policy server does not close the connection to the User Store unless one of the following occurs:
•
An LDAP request returns with a network error. The connections are then re- initialized.
•
The ping thread detects that an LDAP server in the same fail-over group located before the current server is now available. For example, if a user and a search connection to S2 were created and at some point S1 becomes available, then the connections will be re- initialized to S1.
•
The ping thread detects that the server is unavailable. The connections are then re- initialized.
What happens when there is excessive load and multiple backend operations are required? How/where do we control the number of connections between the 2?
With HIGH load it maybe necessary to add more servers to open the pipeline to the user store.
I have read about adding the same LDAP host name again to increase the connections, have not tried it yet though.
YES this will increase the pipeline to the user store, however by giving the same hostname can be programmatic, if an error occurs on one of the connections the Policy server will mark all connections to that servers with the same name BAD. A better approach if the goal is to increase the pipeline is to configure different names mapped to the same IP_address of the user store