Symantec Access Management

Experts,

Is there any static number of connections will be made from the policy server to my ldap server? For example, I am using 6 user directories and all are pointing to single ldap server. When I check using Netstat in the policy server, I see 9 connections to the LDAP Server. This number is same on another policy Server too.

Is there any configuration setting which defines these number of connections from Policy Server?

Thanks in Advance

Selva

When you configure a User Directory object in the SiteMinder WAMUI, SiteMinder creates three and only three TCP/IP connections to each server listed in the User Directory policy store object. One connection is used only to make bind requests for authentication purposes (to validate user passwords), one is used only for searches, and one is used only as a heart-beat connection to sense if the LDAP server is alive or not.

You can control how many different replicas of the user directory SiteMinder connects to and send requests to, but there is no setting to increase the number of bind and search connections that are opened by SiteMinder to each server.

However, there is a trick you can use to increase the number of connections to an individual server. If in the User Directory object you reference the same server hostname or IP multiple times, then SiteMinder will open multiple sets of connections to the same server. However, there is a side effect in that if an LDAP server goes down, SiteMinder will wait for the connection time-out period multiple times, thus causing a temporary performance issue. So I think the general recommendation is to list the same server no more than three times. So if you have two LDAP servers that are replicas, and you list each hostname/IP Address three times, SiteMinder will have six sets of connections open, three to each LDAP server, so each LDAP server can be simultaneaously processing three different requests (searches or binds) from SiteMinder.  Creating three sets of connections to each LDAP server can significantly increase the overall performance of SiteMinder because SiteMinder performance is highly dependent on the performance of the LDAP requests that it makes.

Thanks Rick. In my setup, I have configured 6 different User Directory object and the same ldap server is mentioned once in each object. When I do netstat or check the connections at ldap server, it says total of 9 connections from the policy server.

I also have a failover policy server which has opened only 3 (though 6 User Directories) connections. Does this connections get established as soon as I start the policy server or if a requests made to LDAP server?

Thank You

Selva

You should not have the same ldap server listed in more than one User Directory Object (UDO). That will hurt performance, not help performance. A UDO will only be used if you add it to a Policy Domain or Application (PD/A). To make use of multiple UDOs, you must add more than one UDO to the PD/A. Then within a PD/A, during authentication SiteMinder will always choose the first UDO to try to locate the user's account, and it will ONLY access other UDOs if the the account is not found in the first UDO. Thus if the UDOs point to LDAP servers containing the same set of accounts, it is guaranteed that the UDO listed first will always be the one that accounts are located in, and the others will only be searched if a user mistypes their login ID, and those searches will be wasted time since it is guaranteed that the searches will fail in each of the subsequent UDOs.

So if you only have one set of accounts, that is one LDAP Directory ( but possibly instantiated on multiple replicas) you should only have one UDO. But like I said above, in that one UDO, the same LDAP directory can be referenced more than once in load balancing relationship to gain some performance improvement.

To answer your question about when connections get established, I don't really know for sure, I have never researched the topic. The smart approach would be to establish connections at startup, but only for directories that are in a UDO that has been assigned to a PD/A.

Thanks Rick