Implementing Load Balancing for the Directory Service

This task consists of the following procedures:

• Configure the Directory Service Load Balancer

• Configure Directory Server Instances for Load Balancing

• Verify Directory Service Load Balancing

To Configure the Directory Service Load Balancer

This procedure describes how to configure the directory service load balancer (ds.pstest.com at IP address 10.0.2.10). The steps are relatively generic; the details depend on the load balancer you are using.

1. Populate the load balancer's Hosts Table.

   Add the IP address for ds1.pstest.com and ds2.pstest.com to the load balancer's hosts table.

2. Populate the load balancer's Real Service Table.

   Add the real services for ds1.pstest.com and ds2.pstest.com. A real service is identified by its IP address and port. Add 10.0.1.1:389 and 10.0.1.2:389.

3. Populate the load balancer's Service Group Table

   Add the service group for directory services. The service groups are sets of the real services that you defined in Step 2. The real services in the group must be capable of fulfilling the same type of request. The load balancer will distribute requests among the real services in the service group. When you define the service group for ds.pstest.com, you add the real services that specify the Directory Server instances, 10.0.1.1:389 and 10.0.1.2:389.

4. Populate the load balancer's Virtual IP Table.

   A virtual service definition includes the outward facing IP address and the port at which the load balancer accepts requests for a service, as well as the service group that you specified in Step 3, which actually handles the requests. The load balancer will accept requests at the virtual service address and distribute them among the service group. The virtual service definition for the directory service should be ds.pstest.com, with the virtual IP address of 10.0.2.10:389, and with the service group consisting of the computers ds1.pstest.com and ds2.pstest.com.

5. Configure the load balancer to use Layer-4 (TCP layer) load balancing.

   If you are using a load balancer that supports long, persistent TCP connections, this is the best option. There is no need for stickiness at the directory service load balancer because the TCP connections remain open.

6. Configure the load balancer with a scheduling type of either least connections or round robin.

   Both scheduling types initially distribute the connections evenly between the Directory Server instances. Both scheduling types keep connections evenly distributed if the connections are restarted.

7. Configure the health-check settings for the load balancer.

   The recommended settings are specified in Table 3–5.

To Configure Directory Server Instances for Load Balancing

Timeout problems can arise when a load balancer (or firewall) is placed between Access Manager and Directory Server, as explained in Setting Connection Timeouts for Access Manager . To prevent such problems, set the idle timeout for the Directory Server connections that are used by Access Manager to a value less than the idle timeout value of the load balancer (or firewall).

To perform this procedure, an amldapuser entry must exist in the directory. However, this entry is not created until you deploy Access Manager, as documented in Implementation Module 2: Access Manager Running on Application Server. You therefore must set the Directory Server idle timeout value after you install and configure Access Manager.

For this reason, the procedure for setting the idle timeout for Directory Server connections used by Access Manager is documented in Module 2.

1. See the procedure in To Configure the Connection Timeout of the Directory Service .

To Verify Directory Service Load Balancing

This procedure assumes that ds-inst-ds1 on ds1 and ds-inst-ds2 on ds2 are running.

1. Shut down the Directory Server instance on ds1.

   # /opt/SUNWdsee/ds6/bin/dsadm stop /var/opt/SUNWdsee/ds-inst-ds1

2. Verify that you can access the Directory Server instance on ds2 through the load balancer.

   Run the following command from a computer that can access ds.pstest.com.

   # ldapsearch -b "dc=pstest,dc=com" -h ds.pstest.com -p 389 -D "cn=Directory Manager" "objectClass=*"

   When prompted, type the directory-manager-password.

   A list of object classes currently in the directory is displayed.

3. Start the Directory Server instance on ds1.

   # /opt/SUNWdsee/ds6/bin/dsadm start /var/opt/SUNWdsee/ds-inst-ds1

4. Shut down the Directory Server instance on ds2.

   # /opt/SUNWdsee/ds6/bin/dsadm stop /var/opt/SUNWdsee/ds-inst-ds2

5. Verify that you can access the Directory Server instance on ds1 through the load balancer.

   Run the following command from a computer that can access ds.pstest.com.

   # ldapsearch -b "dc=pstest,dc=com" -h ds.pstest.com -p 389 —D "cn=Directory Manager" "objectClass=*"

   When prompted, type the directory-manager-password.

   A list of object classes currently in the directory is displayed.