Layer7 Access Management

Expand all | Collapse all

How to configure LDAP banks

Jump to Best Answer
  • 1.  How to configure LDAP banks

    Posted 11-10-2016 04:07 AM

    Creating this one behalf of Aditi Tyagi

    Hello Ujwol,

     

    Sorry to ask another basic query, but where to configure these additional LDAP banks?

    Is it to be done while creating a user directory in Admin UI?

    If yes, what is a better approach: failover or load-balancing for multiple connections to the same LDAP server?

     

    Thanks in advance!



  • 2.  Re: How to configure LDAP banks
    Best Answer

    Posted 11-10-2016 04:10 AM

    Hi Aditi,

     

    There is no point in having Failover configuration if the underlying LDAP server is same.

    The reason being if it failed for first bank, there is a greater chance that it will fail for other consequent banks as well.

     

    So, Load balancing configuration is recommended.

    Here ,

    cadir-01, cadir-01-alias1,cadir-01-alias2 all points to the same underlying LDAP server.

     

     

    Please let me know if any questions.

     

    Regards,

    Ujwol



  • 3.  Re: How to configure LDAP banks

    Posted 11-10-2016 10:54 AM

    Hi Ujwol, Great info on LDAP banks.

    We seem to be running into occasional idle timeout connection issue with our LDAP. Now if I create 3LDAP banks with same server as mentioned above, then I will have 9 connections. Does it mean I have chances of 9 idle connections depending on the usage.

    For a setup that sees occasional idle timeouts, is it even worth considering LDAP Banks? I have an active issue that I am currently working on, I see re-bind attempts from a thread which was actively LDAP operation 20 seconds ago.

    Thanks.



  • 4.  Re: How to configure LDAP banks

    Posted 11-10-2016 11:04 AM

    Hi Anil,


    Yes, if you have 3 ldap banks you will have 9 connections.


    As I explained in the other thread, the 3 PING (one for each bank) connections can not idle out as it polls LDAP server periodically, but for remaining 6 connections depending upon it's usage there is a possibility to idle out.


    I wouldn't worry too much of it idling as this doesn't cause any functional issue. As policy server will reestablish the idled out connection anyway. So, apart from those bad looking error in smps.log it isn't doing much harm.


    Cheers,

    Ujwol





  • 5.  Re: How to configure LDAP banks

    Posted 11-10-2016 11:23 AM

    The problem when this idle timeout happens, a simple logon takes close to 30-60 seconds, sometimes causing upstream servers to timeout. While we can increase upstream server timeouts, app team is worried about user experience.

    Is this expected as part of idle-time out issue or it could be something else?



  • 6.  Re: How to configure LDAP banks

    Posted 11-10-2016 11:29 AM

    30-60 seconds is bad. Yes, it should take little longer as it has to re-initialize those connections, including bind but I don't expect it to be that bad.


    Have you verified if the delay is isolated to Policy server side and not on the LDAP side? There is a possibility that LDAP server response to bind request may be slow?



  • 7.  Re: How to configure LDAP banks

    Posted 11-10-2016 11:34 AM

    Exactly, I have an active case with Support on this , while I dont have Fiddler or TCP dump(as this happens occasionally) I have all other SPS/Policy server traces. How can I verfiy LDAP connections are taking longer? Any pointers to that. We cant enable extensive tracing on LDAP as it handles millions of transactions from thousands of systems.



  • 8.  Re: How to configure LDAP banks

    Posted 11-10-2016 11:42 AM

    TCP dump is the best. May be you can perform ldapsearch (which does ldap bind) and capture server response time using TCP dump?But again if the issue is intermittent this may not be able to capture.


    PS trace log also should give indication of delays from LDAP side. Look at the report (Trace analysis report) related to LDAP request wait time and LDAP Bank wait time.


    (Ah , again we ended up deviating from thread topic , may be let's spin off this discussion into new thread as well Anil)



  • 9.  Re: How to configure LDAP banks

    Posted 11-10-2016 12:37 PM

    Thanks a lot Ujwol for this thread and the detailed explanation!!

     

    So, creating 2-3 LDAP banks for the same directory server in load balancing mode and making a hostfile entry in the policy server system, will help in managing thousands(9 connections for 1 directory with 4096 max-user setting) of active user sessions to the directory?

    In our environment, we have 2 user stores(in multi-write replication, DISP recovery) configured in failover mode with the policy servers. In the recent past, we have faced some errors in policy server logs where-in the dsa's were up and running but still policy server was not able to communicate with it. Also, in this scenario, the failover also didn't worked, i.e, the request for user search didn't got transferred to the other LDAP server.

    As per CA recommendation, we increased the max-user value at dsa level and so far have not faced the issue again.

     

    But, will having multiple LDAP banks for each of the above servers help in the overall login(authentication by LDAP specially) performance?

     

    Regards,

    Aditi



  • 10.  Re: How to configure LDAP banks

    Posted 11-10-2016 01:19 PM

    Yes, Aditi. Having more LDAP banks definitely helps in case of large concurrent request.



  • 11.  Re: How to configure LDAP banks

    Posted 11-12-2016 12:37 PM

    Thanks Ujwol for the update, I will cross-check it in our environment and will update this thread in case of further queries!



  • 12.  Re: How to configure LDAP banks

    Posted 11-25-2016 01:00 PM

    Hello Ujwol,

     

    We have Identity Minder integrated with SiteMinder. In this case, if I am creating such LDAP banks in SM AdminUI and the same directory is in use by Identity Minder, will it change the configuration of directory in IM mgmt console as well?

     

    Also, if we have multiple policy servers in our environment using same policy store then, the hostfile entry for the above LDAP banks will be done at policy store system or each policy server system?

     

    Regards,

    Aditi



  • 13.  Re: How to configure LDAP banks

    Posted 11-25-2016 03:29 PM

    No , it won't change config on IM.


    The host file changes goes to each Policy server from where LDAP connection are made.



  • 14.  Re: How to configure LDAP banks

    Posted 11-29-2016 02:11 AM

    Hello Ujwol,

     

    We have 2 user stores and I have created one LDAP alias for each user store.

    How I can check if these are sufficient for my environment and number of concurrent binds/connections created now by each policy server?

    max-users set to 4096 in dsa and idle-user-bind set to default 3600.

    Will it be calculated like:

    4096*3(no. of binds created by Policy server)*4(total number of LDAP banks: 2 user stores and 2 alias)?

     

    Regards,

    Aditi



  • 15.  Re: How to configure LDAP banks

    Posted 11-29-2016 05:11 AM

    There is no formula to calculate the optimum number of ldap banks.


    It depends upon the max concurrent load that you expect, the processing speed of the policy server OS etc among other factors.


    Best way to identify if you have sufficient LDAP banks is to collect ps trace logs during peak load and run trace analysis report to check if it LDAPwait time is high during peak load. If LDAPwait time is high it means that the normal priority thread has to wait longer to get LDAP banks connection. This is when you increase LDAP banks and run the report again to see if that improves.


    You may need to do couple of iterations to identify what suita best for you.





  • 16.  Re: How to configure LDAP banks

    Posted 05-10-2017 02:29 AM

    Hi Ujwol,

     

    How do we define no. of connection with each LDAP bank?

    Also, what is the significance of creating 3 different groups with same server?



  • 17.  Re: How to configure LDAP banks

    Posted 05-10-2017 02:45 AM

    Hi Ashish,

     

    Please find my response below :

     

    Q. How do we define no. of connection with each LDAP bank?

    A. There is a fixed 3 connection created per LDAP bank and is not configurable. These connections are :

     

    • PING Connection : The PING connection is used to check the health of the LDAP server periodically. One PING thread is created per each LDAP Failover group.
      PING's thread ping connections send the following query every 30 seconds to test that the LDAP server is up and listening on the LDAP port
      SRC base="<root object>" scope=0 filter="(objectclass=*)"
    • Search/Directory Connection: The  "dir" connection is the LDAP connection used to search the directory instance (binds always as anonymous or as the credentials given in the User Directory Object)
    • User Connection : “user" connection is the LDAP connection used to bind to the directory instance (binds first as anonymous or as the credentials given in the User Directory Object, then the connection is reused to bind
      with the credentials of the authenticating user
      Also, what is the significance of creating 3 different groups with same server?

     

    Q. What is the significance of creating 3 different groups with same server?

    A. The purpose of creating multiple LDAP group (LDAP Bank ) is to actually increase the number of available LDAP connection to these servers. This will help specially during high load where there are multiple simultaneous LDAP requests.

     

    Regards,

    Ujwol 



  • 18.  Re: How to configure LDAP banks

    Posted 05-11-2017 03:10 AM

    Thanks Ujwol,

     

    What is the significance of creating 3 different groups with same server?

    A. The purpose of creating multiple LDAP group (LDAP Bank ) is to actually increase the number of available LDAP connection to these servers. This will help specially during high load where there are multiple simultaneous LDAP requests.

     

    Que: Configuring same LDAP Bank in three group then it will create 9 connection with that LDAP Bank:

             3 for Ping server

             3 for User Connection

             3 for Dir connection

    Please confirm above. 

     

    Also, Is it possible that this kind of configuration will lead to Performance issues? If so, kindly let us know the CA recommended no. of groups (For same LDAP Bank) that we can configure in order to minimize performance issue. 

     

    Thanks

    Ashish



  • 19.  Re: How to configure LDAP banks

    Posted 05-11-2017 03:18 AM

    That's correct. Total no of connections = 3* No of LDAP banks.

    The purpose of increasing banks is to improve the LDAP connections.

    There is no formula or recommended value for how many banks is sufficient, as it depends on various factors such as user load, cpu , LDAP response times etc..

     

    You should play around with it. Compare the throughput/response times when you increase LDAP banks with different level of user load, to arrive at the optimal value.