Symantec Access Management

Tech Tip : CA Single Sign-On : Policy Server :: LDAP Server Status : Modify the ldap ping process

  • 1.  Tech Tip : CA Single Sign-On : Policy Server :: LDAP Server Status : Modify the ldap ping process

    Posted 05-25-2018 06:55 AM

    Question:

     

    We're running Policy Server, and when a backend LDAP Server is down,
    the Policy Server marks it down and it tries to check its status
    sometime after. We'd like to know if this behavior is configurable,
    so to make the Policy Server to check the LDAP server status only 10
    minutes after, and then to check it for 2 minutes, and then wait
    another 10 minutes to check its status.

     

    Answer:

     

    As long as the LDAP server is in the configuration, the Policy Server
    will check its availability each 30 seconds :

     

    1. PING Connection : The PING connection is used to check the health
    of the LDAP server periodically. One PING thread is created per
    each LDAP Failover group.

    PING's thread ping connections send the following query every 30
    seconds to test that the LDAP server is up and listening on the
    LDAP port

    SRC base="<root object>" scope=0 filter="(objectclass=*)"

     

    https://comm.support.ca.com/kb/policy-server-hung-if-ldap-user-directory-is-unresponsiveslowly-performing/kb000005184

     

    Unfortunatly, this behavior cannot be change and we invite you to open
    an Idea on the Security page to get it implemented.

     

    1. Go to the CA Security Overview Page :
    https://communities.ca.com/community/ca-security/ca-single-sign-on
    2. Click on the "Actions" drop-down menu and select "Create an
    idea."
    3. Give your idea a title and detailed description to encourage
    voting.
    4. Publish and vote on your idea!

     

    Additional Information:

     

    Further info about that LDAP Ping process :

    Siteminder LDAP Ping thread Search Query Change
    https://communities.ca.com/thread/241779867-siteminder-ldap-ping-thread-search-query-change

    Configure the LDAP Ping Timeout for the Policy Store, Session Store, and All User Directories
    https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/configuring/policy-server-configuration/configure-policy-server-data-storage-options/configure-ldap-storage-options

     

    KB : KB000098073