Symantec Access Management

Creating this one behalf of Aditi Tyagi

Hello Ujwol,

Sorry to ask another basic query, but where to configure these additional LDAP banks?

Is it to be done while creating a user directory in Admin UI?

If yes, what is a better approach: failover or load-balancing for multiple connections to the same LDAP server?

Thanks in advance!

Hi Aditi,

There is no point in having Failover configuration if the underlying LDAP server is same.

The reason being if it failed for first bank, there is a greater chance that it will fail for other consequent banks as well.

So, Load balancing configuration is recommended.

Here ,

cadir-01, cadir-01-alias1,cadir-01-alias2 all points to the same underlying LDAP server.

Please let me know if any questions.

Regards,

Ujwol

Hi Ujwol, Great info on LDAP banks.

We seem to be running into occasional idle timeout connection issue with our LDAP. Now if I create 3LDAP banks with same server as mentioned above, then I will have 9 connections. Does it mean I have chances of 9 idle connections depending on the usage.

For a setup that sees occasional idle timeouts, is it even worth considering LDAP Banks? I have an active issue that I am currently working on, I see re-bind attempts from a thread which was actively LDAP operation 20 seconds ago.

Thanks.

Hi Anil,

Yes, if you have 3 ldap banks you will have 9 connections.

As I explained in the other thread, the 3 PING (one for each bank) connections can not idle out as it polls LDAP server periodically, but for remaining 6 connections depending upon it's usage there is a possibility to idle out.

I wouldn't worry too much of it idling as this doesn't cause any functional issue. As policy server will reestablish the idled out connection anyway. So, apart from those bad looking error in smps.log it isn't doing much harm.

Cheers,

Ujwol

The problem when this idle timeout happens, a simple logon takes close to 30-60 seconds, sometimes causing upstream servers to timeout. While we can increase upstream server timeouts, app team is worried about user experience.

Is this expected as part of idle-time out issue or it could be something else?

30-60 seconds is bad. Yes, it should take little longer as it has to re-initialize those connections, including bind but I don't expect it to be that bad.

Have you verified if the delay is isolated to Policy server side and not on the LDAP side? There is a possibility that LDAP server response to bind request may be slow?

Exactly, I have an active case with Support on this , while I dont have Fiddler or TCP dump(as this happens occasionally) I have all other SPS/Policy server traces. How can I verfiy LDAP connections are taking longer? Any pointers to that. We cant enable extensive tracing on LDAP as it handles millions of transactions from thousands of systems.

TCP dump is the best. May be you can perform ldapsearch (which does ldap bind) and capture server response time using TCP dump?But again if the issue is intermittent this may not be able to capture.

PS trace log also should give indication of delays from LDAP side. Look at the report (Trace analysis report) related to LDAP request wait time and LDAP Bank wait time.

(Ah , again we ended up deviating from thread topic , may be let's spin off this discussion into new thread as well Anil)

Thanks a lot Ujwol for this thread and the detailed explanation!!

So, creating 2-3 LDAP banks for the same directory server in load balancing mode and making a hostfile entry in the policy server system, will help in managing thousands(9 connections for 1 directory with 4096 max-user setting) of active user sessions to the directory?

In our environment, we have 2 user stores(in multi-write replication, DISP recovery) configured in failover mode with the policy servers. In the recent past, we have faced some errors in policy server logs where-in the dsa's were up and running but still policy server was not able to communicate with it. Also, in this scenario, the failover also didn't worked, i.e, the request for user search didn't got transferred to the other LDAP server.

As per CA recommendation, we increased the max-user value at dsa level and so far have not faced the issue again.

But, will having multiple LDAP banks for each of the above servers help in the overall login(authentication by LDAP specially) performance?

Regards,

Aditi

Yes, Aditi. Having more LDAP banks definitely helps in case of large concurrent request.

Thanks Ujwol for the update, I will cross-check it in our environment and will update this thread in case of further queries!

Hello Ujwol,

We have Identity Minder integrated with SiteMinder. In this case, if I am creating such LDAP banks in SM AdminUI and the same directory is in use by Identity Minder, will it change the configuration of directory in IM mgmt console as well?

Also, if we have multiple policy servers in our environment using same policy store then, the hostfile entry for the above LDAP banks will be done at policy store system or each policy server system?

Regards,

Aditi

No , it won't change config on IM.

The host file changes goes to each Policy server from where LDAP connection are made.

Hello Ujwol,

We have 2 user stores and I have created one LDAP alias for each user store.

How I can check if these are sufficient for my environment and number of concurrent binds/connections created now by each policy server?

max-users set to 4096 in dsa and idle-user-bind set to default 3600.

Will it be calculated like:

4096*3(no. of binds created by Policy server)*4(total number of LDAP banks: 2 user stores and 2 alias)?

Regards,

Aditi

There is no formula to calculate the optimum number of ldap banks.

It depends upon the max concurrent load that you expect, the processing speed of the policy server OS etc among other factors.

Best way to identify if you have sufficient LDAP banks is to collect ps trace logs during peak load and run trace analysis report to check if it LDAPwait time is high during peak load. If LDAPwait time is high it means that the normal priority thread has to wait longer to get LDAP banks connection. This is when you increase LDAP banks and run the report again to see if that improves.

You may need to do couple of iterations to identify what suita best for you.

Hi Ujwol,

How do we define no. of connection with each LDAP bank?

Also, what is the significance of creating 3 different groups with same server?

Hi Ashish,

Please find my response below :

Q. How do we define no. of connection with each LDAP bank?

A. There is a fixed 3 connection created per LDAP bank and is not configurable. These connections are :

• PING Connection : The PING connection is used to check the health of the LDAP server periodically. One PING thread is created per each LDAP Failover group.
  PING's thread ping connections send the following query every 30 seconds to test that the LDAP server is up and listening on the LDAP port
  SRC base="<root object>" scope=0 filter="(objectclass=*)"
• Search/Directory Connection: The  "dir" connection is the LDAP connection used to search the directory instance (binds always as anonymous or as the credentials given in the User Directory Object)
• User Connection : “user" connection is the LDAP connection used to bind to the directory instance (binds first as anonymous or as the credentials given in the User Directory Object, then the connection is reused to bind
  with the credentials of the authenticating user
  Also, what is the significance of creating 3 different groups with same server?

Q. What is the significance of creating 3 different groups with same server?

A. The purpose of creating multiple LDAP group (LDAP Bank ) is to actually increase the number of available LDAP connection to these servers. This will help specially during high load where there are multiple simultaneous LDAP requests.

Regards,

Ujwol 

Thanks Ujwol,

What is the significance of creating 3 different groups with same server?

A. The purpose of creating multiple LDAP group (LDAP Bank ) is to actually increase the number of available LDAP connection to these servers. This will help specially during high load where there are multiple simultaneous LDAP requests.

Que: Configuring same LDAP Bank in three group then it will create 9 connection with that LDAP Bank:

         3 for Ping server

         3 for User Connection

         3 for Dir connection

Please confirm above. 

Also, Is it possible that this kind of configuration will lead to Performance issues? If so, kindly let us know the CA recommended no. of groups (For same LDAP Bank) that we can configure in order to minimize performance issue. 

Thanks

Ashish

That's correct. Total no of connections = 3* No of LDAP banks.

The purpose of increasing banks is to improve the LDAP connections.

There is no formula or recommended value for how many banks is sufficient, as it depends on various factors such as user load, cpu , LDAP response times etc..

You should play around with it. Compare the throughput/response times when you increase LDAP banks with different level of user load, to arrive at the optimal value.